Skip to content

[Aikido] Fix 3 security issues in axios, fast-uri#1721

Open
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-59593383-7jhq
Open

[Aikido] Fix 3 security issues in axios, fast-uri#1721
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-59593383-7jhq

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Upgrade axios and fast-uri to fix credential leakage on cross-origin redirects, reject malformed URLs, and prevent host canonicalization bypasses.

✅ Code not affected by breaking changes.

✅ No breaking changes from the axios upgrade affect this codebase.

The search revealed that:

  1. All URLs used in axios calls are properly formatted with https:// (including the //), so the new URL validation will not reject any URLs in this codebase.

  2. All validateStatus usages explicitly define it as a function rather than leaving it undefined, so the changed behavior for validateStatus: undefined does not apply to this codebase.

All breaking changes by upgrading axios from version 1.16.1 to 1.18.1 (CHANGELOG)

Version Description
1.18.0
Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0
validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.
✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2026-291630
HIGH
[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.
AIKIDO-2026-38469
MEDIUM
[axios] Malformed HTTP/HTTPS URLs without // (e.g., https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.
AIKIDO-2026-507986
HIGH
[fast-uri] A security bypass vulnerability exists in host canonicalization for Unicode/IDN values due to inconsistent ASCII/Unicode host handling, which could allow attackers to bypass security checks through improper host normalization.
🤖 Remediation details

Fix transitive security vulnerabilities in axios and fast-uri

Short summary

This PR remediates high- and medium-severity vulnerabilities in two transitive dependencies: axios and fast-uri. Both packages were pulled in transitively and their stale lockfile entries were resolved to vulnerable versions. No package.json manifest changes were required — both fixes are lockfile-only refreshes, as the existing parent dependency ranges already permitted the patched versions.

axios

axios was resolved at two lockfile entries: one already at 1.18.0 (safe), and a second at 1.16.1 (vulnerable) pulled in transitively by nx@20.8.4 via its ^1.8.3 range. Because ^1.8.3 already permits >=1.18.0, no manifest change was needed — running yarn up -R axios --mode=update-lockfile refreshed the lockfile, and Yarn consolidated both selectors (^1.8.3 and ^1.18.0) into a single entry resolved at 1.18.1, eliminating the vulnerable instance entirely.

fast-uri

fast-uri was resolved at 3.1.2 (vulnerable), pulled in transitively by ajv@8.18.0 via its ^3.0.1 range. Since ^3.0.1 already permits >=3.1.3, no manifest change was needed — running yarn up -R fast-uri --mode=update-lockfile refreshed the lockfile entry to 3.1.3, the minimum patched version.

Version changes

Package From To Why updated
axios 1.16.1 1.18.1 Lockfile refresh only — transitive via nx@20.8.4 (^1.8.3); patched CVE in axios
fast-uri 3.1.2 3.1.3 Lockfile refresh only — transitive via ajv@8.18.0 (^3.0.1); patched CVE in fast-uri

@aikido-autofix aikido-autofix Bot requested a review from a team as a code owner July 2, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants