Skip to content

[UID2-6900] Fix CVE-2025-62718: Upgrade axios 1.13.5→1.15.0#241

Merged
sunnywu merged 1 commit intomainfrom
syw-UID2-6900-fix-cve-2025-62718
Apr 10, 2026
Merged

[UID2-6900] Fix CVE-2025-62718: Upgrade axios 1.13.5→1.15.0#241
sunnywu merged 1 commit intomainfrom
syw-UID2-6900-fix-cve-2025-62718

Conversation

@sunnywu
Copy link
Copy Markdown
Contributor

@sunnywu sunnywu commented Apr 10, 2026

Summary

  • CVE: CVE-2025-62718 — axios NO_PROXY Hostname Normalization Bypass → SSRF (CRITICAL)
  • Upgrades axios from ^1.13.5 to ^1.15.0 in package.json to remediate the vulnerability
  • All 19 test suites (811 tests) pass with the upgraded version

Vulnerability Details

CVE-2025-62718 is a CRITICAL Server-Side Request Forgery (SSRF) vulnerability in axios where the NO_PROXY environment variable hostname normalization can be bypassed. An attacker can exploit this to make the server issue requests to internal/restricted hosts that should be blocked by NO_PROXY rules.

Affected version: axios < 1.15.0
Fixed version: axios >= 1.15.0

Changes

  • package.json: Updated axios dependency from ^1.13.5 to ^1.15.0
  • package-lock.json: Regenerated to reflect axios 1.15.0

Jira Ticket

UID2-6900

Test Plan

  • npm install completed successfully with axios 1.15.0
  • All 19 test suites passed (npm test): 811 tests passed, 14 skipped
  • Verified package-lock.json resolves node_modules/axios to version 1.15.0

🤖 Generated with Claude Code

@sunnywu sunnywu merged commit da24a7d into main Apr 10, 2026
3 checks passed
@sunnywu sunnywu deleted the syw-UID2-6900-fix-cve-2025-62718 branch April 10, 2026 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swibi-ttd swibi-ttd swibi-ttd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnywu @swibi-ttd