Microsoft Defender inventory assessment has picked up high severity CVEs in the Axios package.
It looks like the latest version of the task (v4.5.12) which unfortunately took a dependency on this package.
c:\ado-agent_work_tasks\wikipdfexporttask_48d40d27-32e1-460e-8ea6-0dfb48abdd6f\4.5.12\node_modules\axios\package.json
Name,Severity,CVSS v3,Epss score,Age (days),Published,First detected,Updated,Has Exploit,Has Known Threats,Has Associated Alerts,Related Software,Exposed Machines,Description
CVE-2026-42037,Medium,5.3,0.00085,34,"23 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions 1.0.0 to before 1.15.1 contain a vulnerability in the `FormDataPart` constructor within `lib/helpers/formDataToStream.js`. The issue arises from the direct interpolation of the `value.type` property into the `Content-Type` header of multipart parts without sanitizing CRLF (`\r\n`) sequences. This allows attackers controlling the `.type` property of a Blob/File-like object to inject arbitrary MIME part headers into the multipart form-data body, bypassing Node.js v18+ built-in header protections. Impact: Exploitation of this vulnerability can lead to bypassing server-side Content-Type-based upload filters, confusing multipart parsers, injecting phantom form fields, and exploiting downstream server vulnerabilities trusting per-part headers. This poses significant risks to applications using Axios for handling user-provided files. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is confirmed to be exploitable via the public Axios API (`axios.post(url, formData)`) without special configurations. The issue has been addressed in Axios version 1.15.1. Generated by AI"
CVE-2026-42033,High,7.4,0.00043,33,"24 Apr, 2026","05 May, 2026","07 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 are vulnerable to prototype pollution attacks due to the lack of 'hasOwnProperty' guards when reading certain configuration keys. This allows attackers to intercept and modify JSON responses or hijack HTTP transport, potentially exposing sensitive data such as credentials, headers, and request bodies. Impact: Exploitation of this vulnerability can lead to unauthorized access to sensitive data, manipulation of application responses, and compromise of communication integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability requires prototype pollution from a separate source in the same process, such as outdated npm packages. Confirmed affected versions are >= 0.19.0, <= 1.13.6. Generated by AI"
CVE-2026-42043,High,7.2,0.0006,34,"23 Apr, 2026","05 May, 2026","07 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 contain a vulnerability in the NO_PROXY hostname resolution logic, allowing an attacker to bypass NO_PROXY protection by using any address within the 127.0.0.0/8 range, excluding 127.0.0.1. This issue stems from an incomplete patch for CVE-2025-62718, which failed to account for the entire IPv4 loopback address range as defined by RFC 1122. Impact: Exploitation of this vulnerability enables attackers to route requests intended for loopback addresses through a configured proxy, potentially exposing sensitive internal services and data. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability has been independently verified on Axios version 1.15.0, Node.js v22.16.0, and Kali Linux. The issue arises due to a hardcoded set of loopback addresses that does not include the full 127.0.0.0/8 range. Generated by AI"
CVE-2026-42036,Medium,5.3,0.00071,34,"23 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 are vulnerable due to the lack of enforcement of the maxContentLength parameter when the responseType is set to 'stream'. This allows unbounded downstream consumption of response streams, bypassing configured response-size limits. Impact: Exploitation of this vulnerability can lead to denial-of-service conditions or unbounded resource consumption in Node.js applications relying on maxContentLength as a safety boundary. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is present in the lib/adapters/http.js file, where the maxContentLength enforcement is applied only in the non-stream buffering branch. Proof-of-concept testing demonstrated the ability to bypass the maxContentLength limit when using streamed responses. Generated by AI"
CVE-2026-42039,Medium,6.9,0.00071,34,"23 Apr, 2026","05 May, 2026","07 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 contain a vulnerability in the 'toFormData' function, which recursively processes nested objects without a depth limit. This can result in a RangeError and crash the Node.js process when deeply nested values are passed as request data. Impact: Exploitation of this vulnerability allows remote, unauthenticated attackers to cause a denial of service by crashing the Node.js process, potentially disrupting server-side applications that use Axios for handling client-supplied data. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is triggered by the recursive 'build' function in 'toFormData', which lacks safeguards for maximum depth. This issue affects server-side applications that forward client-supplied objects into Axios requests, leading to potential crashes in request handlers or worker threads. Generated by AI"
CVE-2025-62718,Medium,6.3,0.00069,48,"09 Apr, 2026","09 Apr, 2026","21 May, 2026",False,False,False,axios:axios;microsoft:python-tensorboard;fedora:nextcloud;fedora:nextcloud-mysql;fedora:nextcloud-postgresql;fedora:nextcloud-httpd;fedora:nextcloud-nginx;fedora:nextcloud-sqlite;fedora:pgadmin4;fedora:pgadmin4-langpack-fr;fedora:pgadmin4-langpack-cs;fedora:pgadmin4-langpack-ru;fedora:pgadmin4-qt-debuginfo;fedora:pgadmin4-langpack-it;fedora:pgadmin4-doc;fedora:pgadmin4-langpack-ja;fedora:pgadmin4-langpack-es;fedora:pgadmin4-langpack-pl;fedora:pgadmin4-langpack-ko;fedora:pgadmin4-langpack-de;fedora:pgadmin4-qt;fedora:pgadmin4-httpd;fedora:pgadmin4-debugsource;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:kubeflow-pipelines;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:kubeflow-pipelines;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:lerna;chainguard:librechat;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;chainguard:wazuh-dashboard;minimus:kibana-8.19;minimus:kibana-9.3;minimus:openclaw,1,"Summary: Axios, a promise-based HTTP client for browsers and Node.js, has a vulnerability in versions prior to 1.15.0 and 0.31.0 where hostname normalization is not correctly handled when evaluating NO_PROXY rules. Specifically, requests to loopback addresses such as 'localhost.' (with a trailing dot) or '[::1]' (IPv6 literal) bypass NO_PROXY matching and are routed through the configured proxy. This behavior contradicts expected functionality and can allow attackers to force requests through a proxy, potentially bypassing protections for loopback or internal services. Impact: Exploitation of this vulnerability can lead to proxy bypass and Server-Side Request Forgery (SSRF) attacks, enabling attackers to access sensitive internal services or exfiltrate data via an attacker-controlled proxy. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: This issue is confirmed in Axios version 1.12.2 and affects all versions prior to 1.15.0 and 0.31.0. The vulnerability arises from the lack of hostname normalization, such as stripping trailing dots or normalizing IPv6 literals, before evaluating NO_PROXY rules. Generated by AI"
CVE-2026-42038,Medium,6.8,0.0006,34,"23 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 are affected by a vulnerability in the 'no_proxy' hostname normalization mechanism. The 'shouldBypassProxy()' function performs pure string matching without resolving IP aliases or loopback equivalents, causing requests to '127.0.0.1' and '[::1]' to route through the proxy even when 'no_proxy=localhost' is set. This issue enables bypassing proxy restrictions. Impact: Exploitation of this vulnerability allows attackers to route requests intended for internal services, such as cloud metadata endpoints, through an attacker-controlled proxy, potentially exposing sensitive internal data. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is addressed in Axios versions 1.15.1 and 0.31.1, where the 'shouldBypassProxy()' function resolves loopback aliases to ensure proper proxy bypass functionality. Generated by AI"
CVE-2026-42040,Low,3.7,0.00061,34,"23 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: The vulnerability exists in the `encode()` function within `lib/helpers/AxiosURLSearchParams.js`, where a character mapping (`charMap`) reverses the safe percent-encoding of null bytes. Specifically, the mapping converts `%00` back to a raw null byte (`\x00`), deviating from the expected safe encoding direction. This issue affects all versions prior to 1.15.1 and 0.31.1. Impact: Exploitation could allow remote attackers to bypass input encoding, potentially leading to URL truncation, WAF bypass, or log injection in downstream C-based parsers. However, the standard Axios request flow is not affected, limiting the primary impact. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is classified under CWE-626 (Null Byte Interaction Error) and CWE-116 (Improper Encoding or Escaping of Output). It has a CVSS score of 3.7 (Low), with a vector of `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N`. The issue is fixed in versions 1.15.1 and 0.31.1. Generated by AI"
CVE-2026-25639,High,7.5,0.00044,107,"09 Feb, 2026","03 Apr, 2026","21 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:lerna;chainguard:librechat;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:kibana-8.19;minimus:kibana-9.2;minimus:kibana-9.3,1,"Summary: The vulnerability in the `mergeConfig` function of Axios prior to versions 0.30.3 and 1.13.5 allows a denial of service attack. This occurs when processing configuration objects containing `__proto__` as an own property, leading to a TypeError crash. The issue arises from the handling of `__proto__` properties during object merging. Impact: Exploitation of this vulnerability can result in a complete denial of service for applications using Axios, particularly those processing user-controlled JSON objects as configuration inputs. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is triggered by the `mergeConfig` function's handling of `__proto__` properties, which causes a TypeError due to improper function invocation. This affects Axios methods such as `get`, `post`, and others that utilize `mergeConfig`. Generated by AI"
CVE-2026-42042,Medium,5.4,0.00048,34,"23 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: A vulnerability in the Axios library's XSRF token protection logic allows the bypass of same-origin checks due to the use of JavaScript truthy/falsy semantics instead of strict boolean comparison for the 'withXSRFToken' configuration property. This issue can be exploited through prototype pollution or misconfiguration, causing XSRF tokens to be sent to all request targets, including attacker-controlled cross-origin servers. The vulnerability affects all versions of Axios prior to 1.15.1 and 0.31.1. Impact: Exploitation of this vulnerability can lead to the leakage of XSRF tokens, enabling cross-site request forgery (CSRF) attacks. This issue is limited to browser environments where XSRF logic is active and does not directly compromise session tokens. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is located in 'lib/helpers/resolveConfig.js' and is triggered when the 'withXSRFToken' property is set to a truthy non-boolean value. This results in the short-circuiting of the 'isURLSameOrigin' check, causing the XSRF token to be sent to unintended destinations. The issue is classified under CWE-201 and CWE-183, with a CVSS score of 5.4 (Medium). Generated by AI"
CVE-2026-42264,High,7.4,0.0007,22,"05 May, 2026","05 May, 2026","16 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:librechat;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions 1.0.0 to before 1.15.2 contain a vulnerability where five configuration properties in the HTTP adapter are accessed directly without 'hasOwnProperty' checks, making them susceptible to prototype pollution. This issue allows polluted values from 'Object.prototype' to be utilized in HTTP requests, potentially leading to unauthorized actions. Impact: Exploitation of this vulnerability can result in credential injection, request hijacking, server-side request forgery (SSRF), code execution during HTTP redirects, and enabling insecure HTTP parsers, which may lead to request smuggling. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The root cause is the lack of 'hasOwnProperty' checks in the 'mergeConfig()' function for specific properties. Existing safeguards for other properties are not applied to the affected ones. Generated by AI"
CVE-2026-42035,High,7.4,0.00035,34,"23 Apr, 2026","05 May, 2026","10 May, 2026",False,False,False,axios:axios;fedora:nextcloud;fedora:nextcloud-mysql;fedora:nextcloud-postgresql;fedora:nextcloud-httpd;fedora:nextcloud-nginx;fedora:nextcloud-sqlite;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 contain a prototype pollution vulnerability in the HTTP adapter (lib/adapters/http.js). This issue allows attackers to inject arbitrary HTTP headers into outgoing requests by exploiting duck-type checks on the data payload. If Object.prototype is polluted with specific properties, Axios misidentifies plain object payloads as FormData instances and calls attacker-controlled functions, merging malicious headers into requests. Impact: Exploitation of this vulnerability can lead to authentication bypass, session fixation, privilege escalation, IP spoofing, and WAF bypass. In certain architectures, this may result in a scope change, affecting downstream services relying on forwarded identity headers. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability requires a prototype pollution primitive in the application's dependency chain and the use of Axios for HTTP requests with a data payload. The issue is resolved in Axios versions 1.15.1 and 0.31.1. Generated by AI"
CVE-2026-40175,Medium,4.8,0.00063,47,"10 Apr, 2026","11 Apr, 2026","10 Apr, 2026",False,False,False,axios:axios;microsoft:python-tensorboard;fedora:nextcloud;fedora:nextcloud-mysql;fedora:nextcloud-postgresql;fedora:nextcloud-httpd;fedora:nextcloud-nginx;fedora:nextcloud-sqlite;fedora:pgadmin4;fedora:pgadmin4-langpack-fr;fedora:pgadmin4-langpack-cs;fedora:pgadmin4-langpack-ru;fedora:pgadmin4-qt-debuginfo;fedora:pgadmin4-langpack-it;fedora:pgadmin4-doc;fedora:pgadmin4-langpack-ja;fedora:pgadmin4-langpack-es;fedora:pgadmin4-langpack-pl;fedora:pgadmin4-langpack-ko;fedora:pgadmin4-langpack-de;fedora:pgadmin4-qt;fedora:pgadmin4-httpd;fedora:pgadmin4-debugsource;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:lerna;chainguard:librechat;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;chainguard:wazuh-dashboard;minimus:kibana-8.19;minimus:kibana-9.3;minimus:openclaw,1,"Summary: The Axios library is vulnerable to a critical attack chain involving Prototype Pollution, which can escalate into Remote Code Execution (RCE) or full cloud compromise by bypassing AWS IMDSv2 protections. This vulnerability stems from a lack of HTTP header sanitization in the 'lib/adapters/http.js' component, allowing polluted properties to be merged into request headers and enabling request smuggling attacks. Impact: Exploitation of this vulnerability can lead to security control bypass, authentication bypass, cache poisoning, and unauthorized access to cloud resources, potentially compromising sensitive data and system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability affects all Axios versions prior to 1.15.0 and 0.3.1. It requires no direct user input and leverages polluted properties from other libraries in the stack. The issue is addressed in versions 1.15.0 and 0.3.1. Generated by AI"
CVE-2026-42041,Medium,4.8,0.00148,34,"23 Apr, 2026","05 May, 2026","07 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 are vulnerable to a Prototype Pollution attack affecting the `validateStatus` configuration property. This vulnerability allows an attacker to modify `Object.prototype` such that all HTTP error responses (e.g., 401, 403, 500) are treated as successful responses, bypassing application-level authentication and error handling. The issue arises due to the use of the `mergeDirectKeys` strategy, which employs the `in` operator, inherently traversing the prototype chain. Impact: Exploitation of this vulnerability can lead to authentication bypass, silent suppression of error responses, and potential unauthorized access to protected resources. Applications relying on Axios for HTTP status-based error handling are particularly at risk. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is rooted in the `mergeDirectKeys` strategy within Axios's configuration merging logic, which uniquely affects the `validateStatus` property. This property uses the `in` operator, making it susceptible to prototype pollution. The issue has been addressed in versions 1.15.1 and 0.31.1. Generated by AI"
CVE-2026-42034,Medium,5.3,0.00071,33,"24 Apr, 2026","05 May, 2026","05 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions prior to 1.15.1 and 0.31.1 contain a vulnerability where the 'maxBodyLength' parameter is bypassed for stream request bodies when 'maxRedirects' is set to 0, allowing oversized streamed uploads to proceed despite strict body limits. Impact: This vulnerability can lead to denial of service or resource exhaustion in Node.js services relying on 'maxBodyLength' enforcement for streamed request bodies. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The issue arises due to the native HTTP/HTTPS transport path not enforcing 'maxBodyLength' for streamed data, as detailed in the Axios library's 'http.js' adapter implementation. Generated by AI"
CVE-2026-42044,Medium,6.5,0.00139,33,"24 Apr, 2026","05 May, 2026","12 May, 2026",False,False,False,axios:axios;wolfi:jitsucom-jitsu;wolfi:kubeflow-centraldashboard;wolfi:langfuse-3;wolfi:lerna;wolfi:opensearch-dashboards-2;wolfi:opensearch-dashboards-3;wolfi:prism;chainguard:jitsucom-jitsu;chainguard:kibana-7.17;chainguard:kubeflow-centraldashboard;chainguard:langfuse-2;chainguard:langfuse-3;chainguard:langfuse-fips-2;chainguard:langfuse-fips-3;chainguard:langfuse-fips-3.152;chainguard:lerna;chainguard:librechat;chainguard:opensearch-dashboards-2;chainguard:opensearch-dashboards-2-fips;chainguard:opensearch-dashboards-3;chainguard:opensearch-dashboards-3-fips;chainguard:prism;chainguard:redisinsight;minimus:openclaw,1,"Summary: Axios versions from 1.0.0 to before 1.15.2 are vulnerable to a Prototype Pollution attack via the 'parseReviver' function. This allows an attacker to exploit polluted 'Object.prototype' properties to invisibly modify JSON API responses, enabling privilege escalation, financial manipulation, and authorization bypass. The vulnerability stems from the 'transformResponse' function in 'lib/defaults/index.js', which calls 'JSON.parse(data, this.parseReviver)' without validating the 'parseReviver' property, allowing selective modification of JSON values. Impact: Exploitation of this vulnerability can lead to unauthorized access, data manipulation, and silent data exfiltration, compromising the integrity and confidentiality of the application. Remediation: Apply the latest patches and updates provided by the respective vendors. AdditionalInformation: The vulnerability is classified under CWE-1321 and CWE-915, with a CVSS score of 9.1 (Critical). It affects all Axios versions prior to 1.15.2. The issue arises due to the lack of validation for the 'parseReviver' property in the Axios configuration object. Generated by AI"
Hello
Microsoft Defender inventory assessment has picked up high severity CVEs in the Axios package.
It looks like the latest version of the task (v4.5.12) which unfortunately took a dependency on this package.
c:\ado-agent_work_tasks\wikipdfexporttask_48d40d27-32e1-460e-8ea6-0dfb48abdd6f\4.5.12\node_modules\axios\package.json