The Zombie in the Bundle: Freeform's Hidden Axios Vulnerability

Modern web development is a Russian Nesting Doll of dependencies. You audit your composer.json, you scan your package.json, and you pat yourself on the back for a job well done. But what about the code you didn't write and can't see in your manifest files? That's where GHSA-RWR8-XRPW-9QF5 lives.

Solspace Freeform, a heavyweight form builder for Craft CMS, committed the cardinal sin of bundling: shipping precompiled assets (minified JavaScript) that baked in an old version of the axios library. While your project might be running the latest and greatest security patches, the compiled freeform.js sitting in your public web root is essentially a time capsule, running a version of Axios older than 1.7.5.

This is a textbook "Zombie Dependency." It's dead code to you—you don't maintain it—but it's very much alive to an attacker who knows it's there. The specific rot in this zombie? CVE-2024-39338, a nasty little flaw in how Axios handles protocol-relative URLs, opening the door to Server-Side Request Forgery (SSRF) scenarios if used in specific environments.

To understand why this matters, we have to look at the underlying vulnerability in Axios (CVE-2024-39338). The issue lies in how the library parses URLs. Developers often assume that if they don't type http:// or https://, the library will treat the input as a path relative to the current domain (e.g., /api/submit).

However, prior to version 1.7.5, Axios had a blind spot. If an attacker supplied a URL starting with // (double slash), Axios would interpret this as a protocol-relative URL. In a browser, //attacker.com inherits the current protocol (http or https). But in server-side contexts (like Node.js wrappers or SSR environments often used alongside modern CMS front-ends), this behavior allows the request to escape the intended host entirely.

It’s a logic gap. The code essentially says, "Oh, you want to go to //localhost:8080/admin? Sure thing!" bypassing any validation logic that only checked for explicit protocol schemes like http: or file:. It turns a constrained API call into an open proxy.

We don't have a simple diff of Freeform's source code because the vulnerability exists inside a minified distribution file, but we can reconstruct the crime scene based on the Axios fix.

Here is the logic flaw in the vulnerable Axios versions:

// Vulnerable Logic (Conceptual)
function isAbsoluteURL(url) {
  // Failed to account for protocol-relative //
  return /^[a-z][a-z0-9+.-]*:/.test(url);
}

Because //example.com doesn't start with a scheme (like http:), the check fails, and Axios treats it as valid input for certain request paths, which the underlying adapter then resolves as a remote request.

In the patched version (Axios 1.7.5+), the validation is tightened to recognize that // effectively acts as an absolute URL in network contexts:

// The Fix in Axios 1.7.5
function isAbsoluteURL(url) {
  // Now catches // as an absolute URL indicator
  return /^([a-z][a-z\d\+\-\.]*:)?\/\//i.test(url);
}

Freeform's mistake was not in writing bad code, but in freezing bad code in time. By compiling their assets and not updating the build pipeline, they shipped the vulnerable logic above to thousands of Craft CMS installations.

How do we weaponize this in a Form Builder? Freeform is designed to take user input and send it places—CRMs, mailing lists, or custom API endpoints. It uses Axios for these AJAX requests.

The Attack Vector: Imagine a Freeform implementation that allows a user (or an admin) to define a webhook URL or a redirection endpoint. If the system relies on Axios to validate or fetch data from that endpoint, an attacker can supply //169.254.169.254/latest/meta-data/.

1. Injection: The attacker inputs the malicious protocol-relative URL into a form field or configuration setting designed to accept a path (e.g., /thank-you).
2. Confusion: The vulnerable Axios instance inside the freeform.js bundle sees //169... and treats it as a valid request, inheriting the protocol.
3. Execution:
   • Client-Side Scenario: If running in the victim's browser, this becomes an Open Redirect or CSRF, forcing the user's browser to send credentials to the attacker's domain.
   • Server-Side Scenario: If Freeform utilizes any server-side rendering (SSR) or Node.js integrations for form processing, the server itself makes the request to the internal metadata service, exposing cloud credentials.

Even without full SSRF, the ability to redirect AJAX requests unpredictably can break CORS policies and leak CSRF tokens to external domains.

This isn't a vulnerability you can patch by editing a file line. You cannot easily patch a minified Webpack bundle unless you are a glutton for punishment. The only reliable path forward is to replace the vendor's distribution files entirely.

Solspace has released the fix in:

• Freeform 4.1.22
• Freeform 5.5.9

These versions were rebuilt with an updated package.lock that pulls in Axios 1.7.5 or higher.

> [!WARNING] > Cache Clearing is Mandatory. > Simply running composer update is not enough. Browser caches and CDNs (Cloudflare, Fastly) often hold onto the old .js files aggressively. You must purge your asset caches to ensure the new, secure bundle is actually being served to your users.