Skip to content

axios has two known SSRF vulnerabilities (CVE audit)#10

Open
rachyandco wants to merge 1 commit intorarimo:mainfrom
rachyandco:update_axios
Open

axios has two known SSRF vulnerabilities (CVE audit)#10
rachyandco wants to merge 1 commit intorarimo:mainfrom
rachyandco:update_axios

Conversation

@rachyandco
Copy link
Copy Markdown

@rachyandco rachyandco commented Apr 18, 2026

Location: package.json — "axios": "^1.7.2", resolved to 1.13.2

Issue: pnpm audit flags two critical CVEs:

  • GHSA-3p68-rc4w-qgx5 — NO_PROXY hostname normalization bypass leads to SSRF (patched in ≥1.15.0)
  • GHSA-fvcv-3m26-pcqx — Unrestricted cloud metadata exfiltration via header injection chain (patched in ≥1.15.0)

Impact: In a mobile SDK context the direct SSRF risk is lower (no server-side proxy
topology), but header injection could be exploited if rarimeApiUrl is attacker-influenced.

axios has two known SSRF vulnerabilities (CVE audit)
0491f2d 
  Location: package.json — "axios": "^1.7.2", resolved to 1.13.2

  Issue: pnpm audit flags two critical CVEs:
  - GHSA-3p68-rc4w-qgx5 — NO_PROXY hostname normalization bypass leads to SSRF (patched in
  ≥1.15.0)
  - GHSA-fvcv-3m26-pcqx — Unrestricted cloud metadata exfiltration via header injection chain
  (patched in ≥1.15.0)

  Impact: In a mobile SDK context the direct SSRF risk is lower (no server-side proxy
  topology), but header injection could be exploited if rarimeApiUrl is attacker-influenced.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rachyandco