chore(monorepo): update overrides axios to >=1.18.1 [security]#5
Open
renovate[bot] wants to merge 1 commit into
Open
chore(monorepo): update overrides axios to >=1.18.1 [security]#5renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
September 26, 2025 04:22
4f24213 to
8418476
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
September 27, 2025 06:38
8418476 to
1ef9d15
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 2, 2025 00:06
67a994b to
1ef9d15
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 10, 2025 08:09
1ef9d15 to
a2e0a29
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 11, 2025 03:44
a2e0a29 to
08e7ad7
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 23, 2025 07:59
08e7ad7 to
fc519a3
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 26, 2025 07:14
fc519a3 to
ece9ce7
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
November 16, 2025 04:09
ece9ce7 to
e77da43
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
2 times, most recently
from
November 20, 2025 12:06
c045378 to
3edd838
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
December 4, 2025 22:26
3edd838 to
000ec1f
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
December 5, 2025 19:25
000ec1f to
783eb4c
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
December 17, 2025 07:15
783eb4c to
0bc8062
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
January 10, 2026 10:31
5fd4bde to
f83182b
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
January 20, 2026 00:09
f83182b to
fab4d59
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
January 20, 2026 16:14
fab4d59 to
2c40052
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
January 24, 2026 03:47
2c40052 to
bf69159
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
January 25, 2026 06:57
bf69159 to
fea7f0c
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
February 3, 2026 12:08
fea7f0c to
552b981
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
February 4, 2026 08:13
552b981 to
75980c6
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
February 13, 2026 16:02
75980c6 to
5ae08b2
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
2 times, most recently
from
February 20, 2026 07:06
d31f7d3 to
eaf69ec
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
February 21, 2026 06:37
eaf69ec to
50760b3
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
March 8, 2026 11:44
50760b3 to
60aa1e0
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
March 14, 2026 11:07
60aa1e0 to
2ae9eb4
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
April 15, 2026 17:58
2ae9eb4 to
3f06458
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
May 1, 2026 05:57
3f06458 to
ff5e9b4
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
May 2, 2026 15:46
ff5e9b4 to
b37c36b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>=1.7.4→>=1.18.1Axios is vulnerable to DoS attack through lack of data size check
CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj
More information
Details
Summary
When Axios runs on Node.js and is given a URL with the
data:scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.This path ignores
maxContentLength/maxBodyLength(which only protect HTTP responses), so an attacker can supply a very largedata:URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requestedresponseType: 'stream'.Details
The Node adapter (
lib/adapters/http.js) supports thedata:scheme. Whenaxiosencounters a request whose URL starts withdata:, it does not perform an HTTP request. Instead, it callsfromDataURI()to decode the Base64 payload into a Buffer or Blob.Relevant code from
[httpAdapter](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):The decoder is in
[lib/helpers/fromDataURI.js](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):config.maxContentLengthorconfig.maxBodyLength, which only apply to HTTP streams.data:URI of arbitrary size can cause the Node process to allocate the entire content into memory.In comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when
totalResponseBytesexceeds[maxContentLength](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs fordata:URIs.PoC
Run with limited heap to force a crash:
Since Node heap is capped at 100 MB, the process terminates with an out-of-memory error:
Mini Real App PoC:
A small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore
maxContentLength,maxBodyLengthand decodes into memory on Node before streaming enabling DoS.Run this app and send 3 post requests:
Suggestions
Enforce size limits
For
protocol === 'data:', inspect the length of the Base64 payload before decoding. Ifconfig.maxContentLengthorconfig.maxBodyLengthis set, reject URIs whose payload exceeds the limit.Stream decoding
Instead of decoding the entire payload in one
Buffer.fromcall, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios is Vulnerable to Denial of Service via proto Key in mergeConfig
CVE-2026-25639 / GHSA-43fc-jf86-j433
More information
Details
Denial of Service via proto Key in mergeConfig
Summary
The
mergeConfigfunction in axios crashes with a TypeError when processing configuration objects containing__proto__as an own property. An attacker can trigger this by providing a malicious configuration object created viaJSON.parse(), causing complete denial of service.Details
The vulnerability exists in
lib/core/mergeConfig.jsat lines 98-101:When
propis'__proto__':JSON.parse('{"__proto__": {...}}')creates an object with__proto__as an own enumerable propertyObject.keys()includes'__proto__'in the iterationmergeMap['__proto__']performs prototype chain lookup, returningObject.prototype(truthy object)mergeMap[prop] || mergeDeepPropertiesevaluates toObject.prototypeObject.prototype(...)throwsTypeError: merge is not a functionThe
mergeConfigfunction is called by:Axios._request()atlib/core/Axios.js:75Axios.getUri()atlib/core/Axios.js:201get,post, etc.) atlib/core/Axios.js:211,224PoC
Reproduction steps:
npm install axiospoc.mjswith the code abovenode poc.mjsVerified output (axios 1.13.4):
Control tests performed:
{"timeout": 5000}JSON.parse('{"__proto__": {"x": 1}}'){"headers": {"X-Test": "value"}}Attack scenario:
An application that accepts user input, parses it with
JSON.parse(), and passes it to axios configuration will crash when receiving the payload{"__proto__": {"x": 1}}.Impact
Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.
Affected environments:
This is NOT prototype pollution - the application crashes before any assignment occurs.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
axios/axios (axios)
v1.18.1Compare Source
v1.18.1 — June 21, 2026
This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.
🐛 Bug Fixes
encoder.call(this)receives theAxiosURLSearchParamsinstance correctly. (#11019)🔧 Maintenance & Chores
Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)
Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)
🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v1.18.0Compare Source
This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
v1.17.0Compare Source
This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
v1.16.1Compare Source
This release ships a defence-in-depth fix for prototype pollution in
formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.v1.16.0Compare Source
This release adds support for the QUERY HTTP method and a new
ECONNREFUSEDerror constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.v1.15.2Compare Source
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in
allowedSocketPathsallowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.v1.15.1Compare Source
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
v1.15.0Compare Source
Bug Fixes
Features
Contributors to this release
PRs
1.2.6 (2023-01-28)
Bug Fixes
CommonRequestHeadersList&CommonResponseHeadersListtypes to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
1.2.5 (2023-01-26)
Bug Fixes
Contributors to this release
PRs
1.2.4 (2023-01-22)
Bug Fixes
RawAxiosRequestConfigback toAxiosRequestConfig; (#5486) (2a71f49)AxiosRequestConfiggeneric; (#5478) (9bce81b)Contributors to this release
PRs
1.2.3 (2023-01-10)
Bug Fixes
Contributors to this release
PRs
[1.2.2] - 2022-12-29
Fixed
Chores
Contributors to this release
[1.2.1] - 2022-12-05
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.2.0] - 2022-11-10
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.1.3] - 2022-10-15
Added
Fixed
Chores
Contributors to this release
PRs
[1.1.2] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.1] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.0] - 2022-10-06
Fixed
Contributors to this release
PRs
[1.0.0] - 2022-10-04
Added
Changed
Deprecated
Removed
Fixed
Chores
Security
Contributors to this release
Bertrand Marron
Dmitriy Mozgovoy
Dan Mooney
Michael Li
aong
Des Preston
Ted Robertson
zhoulixiang
Arthur Fiorette
Kumar Shanu
JALAL
Jingyi Lin
Philipp Loose
Alexander Shchukin
Dave Cardwell
Cat Scarlet
Luca Pizzini
Kai
Maxime Bargiel
Brian Helba
reslear
Jamie Slome
Landro3
rafw87
Afzal Sayed
Koki Oyatsu
Dave
暴走老七
Spencer
Adrian Wieprzkowicz
Jamie Telin
毛呆
Kirill Shakirov
Rraji Abdelbari
Jelle Schutter
Tom Ceuppens
Johann Cooper
Dimitris Halatsis
chenjigeng
João Gabriel Quaresma
Victor Augusto
neilnaveen
Pavlos
Kiryl Valkovich
Naveen
wenzheng
hcwhan
Bassel Rachid
Grégoire Pineau
felipedamin
Karl Horky
Yue JIN
Usman Ali Siddiqui
WD
Günther Foidl
Stephen Jennings
C.T.Lin
mia-z
Parth Banathia
parth0105pluang
Marco Weber
Luca Pizzini
Willian Agostini
Huyen Nguyen
v1.14.0Compare Source
This release fixes a security vulnerability in the
formidabledependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.v1.13.6Compare Source
This release adds React Native Blob support, fixes several enumeration and export regressions, and patches FormData detection for WeChat Mini Program environments.
v1.13.5Compare Source
This release patches a prototype pollution denial-of-service vulnerability, fixes a missing
statusfield regression inAxiosError, adds interceptor ordering control, and introduces URL validation forisAbsoluteURL.v1.13.4Compare Source
Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.
v1.13.3Compare Source
Bug Fixes
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.