Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.
Remediation
References
Related Vulnerabilities
WordPress Plugin Custom Login Page Customizer-LoginPress Multiple Vulnerabilities (1.1.13)
MySQL CVE-2022-39400 Vulnerability (CVE-2022-39400)
WordPress 4.9.x Multiple Vulnerabilities (4.9 - 4.9.21)
Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3667)
PHP Resource Management Errors Vulnerability (CVE-2011-1468)