[Aikido] Fix 3 security issues in axios, fast-uri#1721
Open
aikido-autofix[bot] wants to merge 2 commits into
Open
[Aikido] Fix 3 security issues in axios, fast-uri#1721aikido-autofix[bot] wants to merge 2 commits into
aikido-autofix[bot] wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade axios and fast-uri to fix credential leakage on cross-origin redirects, reject malformed URLs, and prevent host canonicalization bypasses.
✅ Code not affected by breaking changes.
✅ No breaking changes from the axios upgrade affect this codebase.
The search revealed that:
All URLs used in axios calls are properly formatted with
https://(including the//), so the new URL validation will not reject any URLs in this codebase.All
validateStatususages explicitly define it as a function rather than leaving it undefined, so the changed behavior forvalidateStatus: undefineddoes not apply to this codebase.All breaking changes by upgrading axios from version 1.16.1 to 1.18.1 (CHANGELOG)
http:andhttps:URLs that omit//are now rejected withERR_INVALID_URL, whereas they may have been accepted previously.validateStatus: undefinedbehavior changed to require opt-in viatransitional.validateStatusUndefinedResolvesto be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.✅ 3 CVEs resolved by this upgrade
This PR will resolve the following CVEs:
X-API-Keyand AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.//(e.g.,https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.🤖 Remediation details
Fix transitive security vulnerabilities in
axiosandfast-uriShort summary
This PR remediates high- and medium-severity vulnerabilities in two transitive dependencies:
axiosandfast-uri. Both packages were pulled in transitively and their stale lockfile entries were resolved to vulnerable versions. Nopackage.jsonmanifest changes were required — both fixes are lockfile-only refreshes, as the existing parent dependency ranges already permitted the patched versions.axios
axioswas resolved at two lockfile entries: one already at1.18.0(safe), and a second at1.16.1(vulnerable) pulled in transitively bynx@20.8.4via its^1.8.3range. Because^1.8.3already permits>=1.18.0, no manifest change was needed — runningyarn up -R axios --mode=update-lockfilerefreshed the lockfile, and Yarn consolidated both selectors (^1.8.3and^1.18.0) into a single entry resolved at1.18.1, eliminating the vulnerable instance entirely.fast-uri
fast-uriwas resolved at3.1.2(vulnerable), pulled in transitively byajv@8.18.0via its^3.0.1range. Since^3.0.1already permits>=3.1.3, no manifest change was needed — runningyarn up -R fast-uri --mode=update-lockfilerefreshed the lockfile entry to3.1.3, the minimum patched version.Version changes
axios1.16.11.18.1nx@20.8.4(^1.8.3); patched CVE inaxiosfast-uri3.1.23.1.3ajv@8.18.0(^3.0.1); patched CVE infast-uri