axios4go Race Condition Vulnerability in HTTP Client Configuration Allows Proxy Misuse and Sensitive Data Interception

A race condition vulnerability has been identified in axios4go, a Go HTTP client library, prior to version 0.6.4. The issue arises from the global default HTTP client being altered during request execution without proper synchronization. This unsynchronized modification affects the shared http.Client's Transport, Timeout, and CheckRedirect properties. The vulnerability impacts applications that use axios4go for concurrent requests, particularly those that handle sensitive data such as authentication credentials, tokens, or API keys, and those that employ different proxy configurations for various requests. The race condition can lead to an interception of sensitive data by routing requests through an attacker's proxy.

Impact

Exploitation of this vulnerability allows for credential theft and man-in-the-middle attacks in environments with concurrent requests.

Remediation

The vulnerability has been patched in version 0.6.4. Users are advised to upgrade immediately. If an immediate upgrade is not possible, avoid using the global functions with different proxy configurations concurrently, create separate Client instances for each goroutine, add external synchronization around axios4go calls, and avoid using the Proxy option in concurrent scenarios.