Skip to content

Fix CVE-2025-58754: Upgrade axios to patch DoS vulnerability#2320

Merged
JanPokorny merged 1 commit intomainfrom
claude/fix-axios-dos-vulnerability-DWJOd
Mar 6, 2026
Merged

Fix CVE-2025-58754: Upgrade axios to patch DoS vulnerability#2320
JanPokorny merged 1 commit intomainfrom
claude/fix-axios-dos-vulnerability-DWJOd

Conversation

@JanPokorny
Copy link
Collaborator

@JanPokorny JanPokorny commented Mar 6, 2026

Summary

Upgrades axios to version 1.12.0 or higher to fix CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj, a denial of service vulnerability via data: URI. This dependency is pulled in transitively through the mintlify dependency chain.

Linked Issues

Documentation

  • No Docs Needed: This is a security patch with no user-facing changes or API modifications.

https://claude.ai/code/session_0141PZwEdnJ66b38QFWNtgrY

@claude
fix: upgrade axios to >=1.12.0 to address CVE-2025-58754 DoS vulnerab…
713a292 
…ility

Adds a pnpm workspace override to force axios to >=1.12.0, eliminating
the vulnerable axios@1.10.0 brought in transitively via
mintlify -> @mintlify/scraping -> @mintlify/common -> @mintlify/models.

The vulnerability (GHSA-4hjh-wcwx-xvwj) allowed an attacker to supply
a large data: URI causing unbounded memory allocation and process crash
(DoS), bypassing maxContentLength/maxBodyLength guards.

https://claude.ai/code/session_0141PZwEdnJ66b38QFWNtgrY
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Mar 6, 2026
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 6, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a critical security update by patching a denial-of-service vulnerability in the axios library. The change ensures that the project's dependencies are secure against known exploits, enhancing overall system stability and resilience without introducing any user-facing modifications or API changes.

Highlights

  • Security Patch: Upgraded the axios dependency to version 1.12.0 or higher to fix CVE-2025-58754 (GHSA-4hjh-wcwx-xvwj), which addresses a denial of service vulnerability via data: URI. This dependency is transitively pulled in through the mintlify dependency chain.
  • Dependency Management: Implemented a pnpm override to enforce the minimum required axios version across the project, ensuring the security fix is applied consistently.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • pnpm-lock.yaml
    • Updated the @carbon/react dependency version to 1.102.0.
    • Added an override for axios to ensure a version of >=1.12.0 is used.
    • Removed the explicit axios@1.10.0 package entry from the lockfile.
    • Updated the axios dependency for @mintlify/models@0.0.255 to 1.13.2.
    • Removed the axios@1.10.0 snapshot definition.
  • pnpm-workspace.yaml
    • Added a new override rule for axios to enforce version >=1.12.0.
    • Included comments explaining the axios security fix (CVE-2025-58754) and its transitive dependency path.
Activity
  • No human activity has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to upgrade the axios dependency to mitigate a Denial of Service vulnerability (GHSA-4hjh-wcwx-xvwj). While the intention to patch security vulnerabilities is commendable, my review indicates that the version of axios currently in use (1.10.0) is not affected by the cited advisory. The change therefore appears to be unnecessary for the stated purpose. Please see my specific comment for details.

pnpm-workspace.yaml
Comment on lines +5 to +7
# Fix CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj: axios DoS vulnerability via data: URI
# Transitive via mintlify -> @mintlify/scraping -> @mintlify/common -> @mintlify/models
"axios@<1.12.0": ">=1.12.0"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This override appears to be based on a misunderstanding of the vulnerability advisory GHSA-4hjh-wcwx-xvwj.

The advisory states that the affected versions of axios are < 0.28.0 and >= 1.0.0, < 1.4.0. The version currently being used via the transitive dependency chain is 1.10.0, which is not within this vulnerable range as it is greater than 1.4.0.

As a result, this change is unnecessary for fixing the specified vulnerability. If this change is intended to address a different issue, please update the description accordingly. Otherwise, this override and the related changes in pnpm-lock.yaml should be removed.

Copy link
Collaborator Author

@JanPokorny JanPokorny Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lies and deception!

@JanPokorny JanPokorny merged commit 201703c into main Mar 6, 2026
17 of 18 checks passed
@JanPokorny JanPokorny deleted the claude/fix-axios-dos-vulnerability-DWJOd branch March 6, 2026 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Agent Stack
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JanPokorny @claude