fix(deps): update dependency axios to v1.13.5 [security]#2483
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency axios to v1.13.5 [security]#2483renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
September 30, 2025 10:41
4b67029 to
5ac3621
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
October 25, 2025 19:54
5ac3621 to
8d58348
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
5 times, most recently
from
November 20, 2025 21:03
e9c7d18 to
f259e5a
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
December 1, 2025 18:52
f259e5a to
2ff6730
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
3 times, most recently
from
December 11, 2025 19:40
822d804 to
bc2cc57
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
March 1, 2026 16:08
bc2cc57 to
9d1dc43
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
2 times, most recently
from
March 18, 2026 18:18
4a819f3 to
06bca7e
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
2 times, most recently
from
March 30, 2026 22:10
06bca7e to
9ebb14f
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
2 times, most recently
from
April 27, 2026 23:42
9ebb14f to
778caf7
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
May 28, 2026 17:29
778caf7 to
f0ab90c
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
June 21, 2026 17:30
f0ab90c to
5830c62
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
June 22, 2026 17:03
5830c62 to
b0ac364
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.4→1.13.5Server-Side Request Forgery in axios
CVE-2024-39338 / GHSA-8hc4-vh64-cxmj
More information
Details
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Severity
High
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios is vulnerable to DoS attack through lack of data size check
CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj
More information
Details
Summary
When Axios runs on Node.js and is given a URL with the
data:scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.This path ignores
maxContentLength/maxBodyLength(which only protect HTTP responses), so an attacker can supply a very largedata:URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requestedresponseType: 'stream'.Details
The Node adapter (
lib/adapters/http.js) supports thedata:scheme. Whenaxiosencounters a request whose URL starts withdata:, it does not perform an HTTP request. Instead, it callsfromDataURI()to decode the Base64 payload into a Buffer or Blob.Relevant code from
[httpAdapter](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):The decoder is in
[lib/helpers/fromDataURI.js](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):config.maxContentLengthorconfig.maxBodyLength, which only apply to HTTP streams.data:URI of arbitrary size can cause the Node process to allocate the entire content into memory.In comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when
totalResponseBytesexceeds[maxContentLength](https://redirect.github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs fordata:URIs.PoC
Run with limited heap to force a crash:
Since Node heap is capped at 100 MB, the process terminates with an out-of-memory error:
Mini Real App PoC:
A small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore
maxContentLength,maxBodyLengthand decodes into memory on Node before streaming enabling DoS.Run this app and send 3 post requests:
Suggestions
Enforce size limits
For
protocol === 'data:', inspect the length of the Base64 payload before decoding. Ifconfig.maxContentLengthorconfig.maxBodyLengthis set, reject URIs whose payload exceeds the limit.Stream decoding
Instead of decoding the entire payload in one
Buffer.fromcall, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios is Vulnerable to Denial of Service via proto Key in mergeConfig
CVE-2026-25639 / GHSA-43fc-jf86-j433
More information
Details
Denial of Service via proto Key in mergeConfig
Summary
The
mergeConfigfunction in axios crashes with a TypeError when processing configuration objects containing__proto__as an own property. An attacker can trigger this by providing a malicious configuration object created viaJSON.parse(), causing complete denial of service.Details
The vulnerability exists in
lib/core/mergeConfig.jsat lines 98-101:When
propis'__proto__':JSON.parse('{"__proto__": {...}}')creates an object with__proto__as an own enumerable propertyObject.keys()includes'__proto__'in the iterationmergeMap['__proto__']performs prototype chain lookup, returningObject.prototype(truthy object)mergeMap[prop] || mergeDeepPropertiesevaluates toObject.prototypeObject.prototype(...)throwsTypeError: merge is not a functionThe
mergeConfigfunction is called by:Axios._request()atlib/core/Axios.js:75Axios.getUri()atlib/core/Axios.js:201get,post, etc.) atlib/core/Axios.js:211,224PoC
Reproduction steps:
npm install axiospoc.mjswith the code abovenode poc.mjsVerified output (axios 1.13.4):
Control tests performed:
{"timeout": 5000}JSON.parse('{"__proto__": {"x": 1}}'){"headers": {"X-Test": "value"}}Attack scenario:
An application that accepts user input, parses it with
JSON.parse(), and passes it to axios configuration will crash when receiving the payload{"__proto__": {"x": 1}}.Impact
Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.
Affected environments:
This is NOT prototype pollution - the application crashes before any assignment occurs.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
axios/axios (axios)
v1.13.5Compare Source
This release patches a prototype pollution denial-of-service vulnerability, fixes a missing
statusfield regression inAxiosError, adds interceptor ordering control, and introduces URL validation forisAbsoluteURL.v1.13.4Compare Source
Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.
v1.13.3Compare Source
Bug Fixes
Features
undefinedas a value in AxiosRequestConfig (#5560) (095033c)Reverts
Contributors to this release
v1.13.2Compare Source
Bug Fixes
Performance Improvements
Contributors to this release
v1.13.1Compare Source
Bug Fixes
Contributors to this release
v1.13.0Compare Source
Bug Fixes
Features
Contributors to this release
1.12.2 (2025-09-14)
Bug Fixes
Contributors to this release
1.12.1 (2025-09-12)
Bug Fixes
Contributors to this release
v1.12.2Compare Source
Bug Fixes
Features
Contributors to this release
1.12.2 (2025-09-14)
Bug Fixes
Contributors to this release
1.12.1 (2025-09-12)
Bug Fixes
Contributors to this release
v1.12.1Compare Source
Bug Fixes
Features
Contributors to this release
1.12.2 (2025-09-14)
Bug Fixes
Contributors to this release
1.12.1 (2025-09-12)
Bug Fixes
Contributors to this release
v1.12.0Compare Source
Bug Fixes
Features
Contributors to this release
1.12.2 (2025-09-14)
Bug Fixes
Contributors to this release
1.12.1 (2025-09-12)
Bug Fixes
Contributors to this release
v1.11.0Compare Source
Bug Fixes
Contributors to this release
v1.10.0Compare Source
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.