CVE-2024-57965

Low

Published: 29 January 2025

Published

29 January 2025

Modified

19 September 2025

KEV Added

—

Patch

—

CVSS Score 0.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N

EPSS Score 0.0009 25.0th percentile

Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57965 is a uncategorised-severity Origin Validation Error (CWE-346) vulnerability in Axios Axios. Its CVSS base score is 0.0.

Operationally, ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the origin validation error in Axios versions prior to 1.7.8.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to identify instances of the Axios library affected by CVE-2024-57965.

CM-10 Software Usage Restrictions partial match

prevent

Restricts usage of unauthorized or vulnerable software such as pre-1.7.8 Axios versions to prevent deployment of the flawed library.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and…

does not fix a vulnerability.

Deeper analysisAI

CVE-2024-57965 affects the Axios JavaScript library in versions prior to 1.7.8. The issue is located in the lib/helpers/isURLSameOrigin.js file, which fails to use a URL object when determining an origin and includes a potentially unwanted setAttribute('href', href) call.

The vulnerability carries a CVSS v3.1 base score of 0.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N), indicating no impact on confidentiality, integrity, or availability. It is classified under CWE-346 (Origin Validation Error) and could theoretically be exploited by remote attackers with no privileges or user interaction, though it requires high attack complexity and results in a scope change with no measurable effects.

Mitigation is available via the Axios v1.7.8 release, which incorporates changes from GitHub pull request #6714, issue #6351, and commit 0a8d6e19da5b9899a2abafaaa06a75ee548597db. Notably, some parties contend that the fix only addresses a warning generated by a Static Application Security Testing (SAST) tool rather than resolving a genuine vulnerability.

Details

CWE(s): CWE-346

Affected Products

axios

≤ 1.7.8

CVEs Like This One

CVE-2026-42043Same product: Axios Axios

CVE-2026-42035Same product: Axios Axios

CVE-2026-42044Same product: Axios Axios

CVE-2026-42039Same product: Axios Axios

CVE-2025-62718Same product: Axios Axios

CVE-2026-42033Same product: Axios Axios

CVE-2026-25639Same product: Axios Axios

CVE-2026-40175Same product: Axios Axios

CVE-2026-42038Same product: Axios Axios

CVE-2026-41342Shared CWE-346

References

https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db
Patch · cve@mitre.org
https://github.com/axios/axios/issues/6351
Issue Tracking · cve@mitre.org
https://github.com/axios/axios/pull/6714
Issue Tracking, Patch · cve@mitre.org
https://github.com/axios/axios/releases/tag/v1.7.8
Release Notes · cve@mitre.org