Skip to content

fix(deps): vuln axios (minor → 1.18.1) [integration_tests]#795

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/integration_tests/1-1783352940
Draft

fix(deps): vuln axios (minor → 1.18.1) [integration_tests]#795
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/integration_tests/1-1783352940

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

  • integration_tests (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
axios 1.1.3 1.18.1 minor Direct 16 HIGH, 13 MEDIUM, 1 LOW

Security Details

🚨 Critical & High Severity (16 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
axios GHSA-43fc-jf86-j433 HIGH Axios is Vulnerable to Denial of Service via proto Key in mergeConfig 1.1.3 1.13.5 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.1.3 1.15.1 -
axios CVE-2025-58754 HIGH Axios is vulnerable to DoS attack through lack of data size check 1.1.3 - -
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.1.3 1.8.2 -
axios CVE-2025-27152 HIGH Possible SSRF and Credential Leakage via Absolute URL in axios Requests 1.1.3 - -
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.1.3 1.12.0 -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.1.3 1.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.1.3 1.16.0 -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.1.3 1.16.0 -
axios CVE-2026-25639 HIGH Axios affected by Denial of Service via proto Key in mergeConfig 1.1.3 - -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.1.3 1.16.0 -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.1.3 1.16.0 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.1.3 1.15.2 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.1.3 1.15.1 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.1.3 1.15.2 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.1.3 1.15.1 -
ℹ️ Other Vulnerabilities (14)
Package CVE Severity Summary Unsafe Version Fixed In Case
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.1.3 1.15.1 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.1.3 1.15.1 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.1.3 1.15.1 -
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.1.3 1.15.1 -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.1.3 1.15.2 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.1.3 1.15.1 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.1.3 1.15.1 -
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.1.3 1.15.0 -
axios CVE-2023-45857 MODERATE - 1.1.3 - -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.1.3 1.15.1 -
axios GHSA-wf5p-g6vw-rhxx MODERATE Axios Cross-Site Request Forgery Vulnerability 1.1.3 1.6.0 -
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.1.3 1.15.0 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.1.3 1.16.0 -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.1.3 1.15.1 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1-2

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/datadog-lambda-js | e2e-test-status   View in Datadog   GitLab

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1792803 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants