From 2911168e4eae555517f28c58201c0e68dc95784f Mon Sep 17 00:00:00 2001
From: Sahitya Chandra <sahityajb@gmail.com>
Date: Sun, 12 Apr 2026 23:45:42 +0530
Subject: [PATCH] fix(security): upgrade axios to 1.15.0 to fix critical CVEs
 (#28850)

Upgrades axios from 1.13.5 to 1.15.0 in apps/api/v2 and the root
resolutions field to resolve two critical vulnerabilities:

- GHSA-3p68-rc4w-qgx5: NO_PROXY hostname normalization bypass leading to SSRF
- GHSA-fvcv-3m26-pcqx: Unrestricted cloud metadata exfiltration via header injection

Both CVEs are fixed in axios >=1.15.0.
---
 apps/api/v2/package.json |  2 +-
 package.json             |  2 +-
 yarn.lock                | 19 +++++++++++++------
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/apps/api/v2/package.json b/apps/api/v2/package.json
index 4ce63269f3a717..cef3be78ac2b98 100644
--- a/apps/api/v2/package.json
+++ b/apps/api/v2/package.json
@@ -62,7 +62,7 @@
     "@sentry/node": "9.46.0",
     "@sentry/profiling-node": "9.46.0",
     "@snyk/protect": "latest",
-    "axios": "1.13.5",
+    "axios": "1.15.0",
     "body-parser": "1.20.3",
     "bull": "4.15.1",
     "class-transformer": "0.5.1",
diff --git a/package.json b/package.json
index 17de92f933abd2..25b76d24f2401d 100644
--- a/package.json
+++ b/package.json
@@ -138,7 +138,7 @@
     "jpeg-js": "0.4.4",
     "validator": "13.15.22",
     "form-data": "4.0.4",
-    "axios": "1.13.5",
+    "axios": "1.15.0",
     "jws": "4.0.1",
     "jsonwebtoken": "9.0.0",
     "sha.js": "2.4.12",
diff --git a/yarn.lock b/yarn.lock
index 838a26c3f11d78..00eef74e65fdc2 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1967,7 +1967,7 @@ __metadata:
     "@types/luxon": "npm:3.4.2"
     "@types/passport-jwt": "npm:3.0.13"
     "@types/supertest": "npm:2.0.16"
-    axios: "npm:1.13.5"
+    axios: "npm:1.15.0"
     body-parser: "npm:1.20.3"
     bull: "npm:4.15.1"
     class-transformer: "npm:0.5.1"
@@ -17900,14 +17900,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:1.13.5":
-  version: 1.13.5
-  resolution: "axios@npm:1.13.5"
+"axios@npm:1.15.0":
+  version: 1.15.0
+  resolution: "axios@npm:1.15.0"
   dependencies:
     follow-redirects: "npm:^1.15.11"
     form-data: "npm:^4.0.5"
-    proxy-from-env: "npm:^1.1.0"
-  checksum: 10/db726d09902565ef9a0632893530028310e2ec2b95b727114eca1b101450b00014133dfc3871cffc87983fb922bca7e4874d7e2826d1550a377a157cdf3f05b6
+    proxy-from-env: "npm:^2.1.0"
+  checksum: 10/d39a2c0ebc7ff4739401b282e726cc2673377949d6c46d60eb619458f8d7a2f7eadbcada7097f4dbc7d5c59abb4d3bf6fac33d474412bc3415d3f5aa7ed45530
   languageName: node
   linkType: hard
 
@@ -33008,6 +33008,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"proxy-from-env@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "proxy-from-env@npm:2.1.0"
+  checksum: 10/fbbaf4dab2a6231dc9e394903a5f66f20475e36b734335790b46feb9da07c37d6b32e2c02e3e2ea4d4b23774c53d8562e5b7cc73282cb43f4a597b7eacaee2ee
+  languageName: node
+  linkType: hard
+
 "pseudomap@npm:^1.0.1":
   version: 1.0.2
   resolution: "pseudomap@npm:1.0.2"