Skip to content

[Aikido] Fix 9 security issues in axios, follow-redirects#19

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-8396033-thLS
Open

[Aikido] Fix 9 security issues in axios, follow-redirects#19
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-8396033-thLS

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Oct 8, 2025

Copy link
Copy Markdown

This PR will resolve the following CVEs:

CVE ID Severity Description
CVE-2025-27152
HIGH
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impac
CVE-2025-58754
HIGH
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a...
CVE-2023-45857
MEDIUM
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
AIKIDO-2025-10185
MEDIUM
Affected versions of this package are vulnerable to server-side request forgery (SSRF) because allowAbsoluteUrls is not set to false by default when processing URLs in buildFullPath(). This unsafe default may lead to unintended URL acceptance, allowing attackers to bypass expected restrictions...
CVE-2020-28168
MEDIUM
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVE-2022-0155
MEDIUM
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-28849
MEDIUM
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...
CVE-2023-26159
MEDIUM
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect...
CVE-2022-0536
MEDIUM
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Related Tasks:

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants