chore(deps): update dependency axios to v0.31.1 [security] - autoclosed#414
Closed
renovate[bot] wants to merge 1 commit into
Closed
chore(deps): update dependency axios to v0.31.1 [security] - autoclosed#414renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
|
❌ Deploy preview failed at Netlify. @jimmyandrade take a look please
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.21.2→0.31.1Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in
withXSRFTokenBoolean CoercionCVE-2026-42042 / GHSA-xx6v-rp6x-q39c
More information
Details
Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in
withXSRFTokenBoolean CoercionSummary
The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the
withXSRFTokenconfig property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker.Severity: Medium (CVSS 5.4)
Affected Versions: All versions since
withXSRFTokenwas introducedVulnerable Component:
lib/helpers/resolveConfig.js:59Environment: Browser-only (XSRF logic only runs when
hasStandardBrowserEnvis true)CWE
CVSS 3.1
Score: 5.4 (Medium)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NUsage of "Helper" Vulnerabilities
This vulnerability requires Zero Direct User Input when triggered via prototype pollution.
If an attacker can pollute
Object.prototype.withXSRFTokenwith any truthy value (e.g.,1,"true",{}), Axios will automatically inherit this value during config merge. The truthy value short-circuits the same-origin check, causing the XSRF cookie value to be sent as a request header to every destination.Vulnerable Code
File:
lib/helpers/resolveConfig.js, lines 57-66Designed behavior:
true→ always send token (explicit cross-origin opt-in)false→ never send tokenundefined→ send only for same-origin requestsActual behavior for non-boolean truthy values (
1,"false",{},[]):Proof of Concept
Verified PoC Output
Impact Analysis
Object.prototype.withXSRFToken = 1affects every axios request in the applicationwithXSRFToken: "false"(string) instead offalse(boolean) triggers the same issue without PPLimitations:
hasStandardBrowserEnv)Recommended Fix
Use strict boolean comparison:
Resources
Timeline
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
CVE-2026-42039 / GHSA-62hf-57xw-28j9
More information
Details
Summary
toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.
Details
lib/helpers/toFormData.js:210 defines an inner
build(value, path)that recurses into every object/array child (line 225:build(el, path ? path.concat(key) : [key])). The only safeguard is astackarray used to detect circular references; there is no maximum depth and no try/catch around the recursion. Becausebuildcalls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8's call stack.toFormDatais the serializer behindFormDatarequest bodies andAxiosURLSearchParams(used bybuildURLwhenparamsis an object withURLSearchParamsunavailable, seelib/helpers/buildURL.js:53andlib/helpers/AxiosURLSearchParams.js:36). Any server-side code that forwards a client-supplied object intoaxios({ data, params })therefore reaches the recursive walker with attacker-controlled depth.The RangeError is thrown synchronously from inside
forEach, escapestoFormData, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.PoC
Server-side reachability example:
Verified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.
Impact
A remote, unauthenticated attacker who can influence an object passed to axios as request
dataorparamstriggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth intoFormData'sbuildfunction (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
axios/axios (axios)
v0.31.1Compare Source
This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed
dist/artefacts along with Bower support.dist/Removed:dist/bundles are no longer committed to the repo, andbower.jsonplus the Gruntpackage2bowertask have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)🔒 Security Fixes
isFormDatato reject plain/null-prototype objects and requireappend, and guarded the Node HTTP adapter sodata.getHeaders()is only merged when it is not inherited fromObject.prototype. Blocks injected headers via pollutedgetHeaders. (#10750)mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks fortransport,env,Blob,formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)maxDepth(default100,Infinitydisables) totoFormDataand params serialisation, throwingAxiosErrorwith codeERR_FORM_DATA_DEPTH_EXCEEDEDwhen exceeded. Circular-reference detection is preserved. (#10728)%00→ null-byte substitution fromAxiosURLSearchParams.encodeso%00is preserved as-is. Other encoding behaviour (including%20→+) unchanged. (#10737)v0.x:maxContentLengthenforcement forresponseType: 'stream'via a guarded transform with deferred piping,maxBodyLengthenforcement for streamed uploads on nativehttp/httpswithmaxRedirects: 0, and stricterwithXSRFTokenhandling so only own booleantrueenables cross-origin XSRF headers. (#10764)🔧 Maintenance & Chores
.github/CODEOWNERSwith* @​jasonsaaymanto set a default reviewer for all paths. (#10740)Full Changelog
v0.31.0Compare Source
This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and
zizmorscanning, resolves TypeScript typing issues inAxiosInstance, and fixes a performance regression inisEmptyObject().🔒 Security Fixes
Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper
NO_PROXY/no_proxyenforcement covering wildcards, explicit ports, loopback aliases (localhost,127.0.0.1,::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, andparsed.hostis used for correct port and IPv6 handling. (#10688)CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces
zizmorsecurity scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a requirednpm-publishGitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)🐛 Bug Fixes
TypeScript —
AxiosInstanceReturn Types: Fixes return types inAxiosInstancemethods to correctly resolve toPromise<R>(matchingAxiosPromise<T>semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)Performance: Fixes a performance regression in
isEmptyObject()that caused excessive computation when the argument was a large string. (#6484)🔧 Maintenance & Chores
🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v0.30.3: Release notes - v0.30.3Compare Source
This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).
Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.
🛡️ Security Fixes
⚙️ Maintenance & CI
Configuration Merging Behavior:
As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.
Full Changelog: v0.30.2...v0.30.3
v0.30.2Compare Source
What's Changed
maxContentLengthvulnerability fix to v0.x by @FeBe95 in #7034New Contributors
Full Changelog: axios/axios@v0.30.1...v0.30.2
v0.30.1Compare Source
Release notes:
Bug Fixes
Contributors to this release
Full Changelog: axios/axios@v0.30.0...v0.30.1
v0.30.0Compare Source
Release notes:
Bug Fixes
Contributors to this release
Full Changelog: axios/axios@v0.29.0...v0.30.0
v0.29.0Compare Source
Release notes:
Bug Fixes
Contributors to this release
v0.28.1Compare Source
Release notes:
Release notes:
Bug Fixes
reqis not defined (#6307)v0.28.0Compare Source
Release notes:
Bug Fixes
withXSRFTokenoption to v0.x (#6091)Backports from v1.x:
axios.formToJSONmethod (#4735)url-encoded-formserializer to respect theformSerializerconfig (#4721)string[]toAxiosRequestHeaderstype (#4322)AxiosErrorstack capturing; (#4718)AxiosErrorstatus code type; (#4717)blobto the list of protocols supported by the browser (#4678)v0.27.2Compare Source
Fixes and Functionality:
v0.27.1Compare Source
Fixes and Functionality:
v0.27.0Compare Source
Breaking changes:
Content-Typerequest header when passing FormData (#3785)transformRequestandtoFormData(#4470)QOL and DevX improvements:
Fixes and Functionality:
Internal and Tests:
Documentation:
Notes:
v0.26.1Compare Source
Fixes and Functionality:
v0.26.0Compare Source
Fixes and Functionality:
v0.25.0Compare Source
Breaking changes:
Fixes and Functionality:
booleanandnumbertypes (#4144)undefined(#3153)Internal and Tests:
Documentation:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
v0.24.0Compare Source
Breaking changes:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
v0.23.0Compare Source
Breaking changes:
Fixes and Functionality:
Internal and Tests:
Documentation:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
v0.22.0Compare Source
Fixes and Functionality:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
v0.21.4Compare Source
Fixes and Functionality:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
v0.21.3Compare Source
Fixes and Functionality:
Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.