SB20260424168 - Multiple vulnerabilities in axios

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Prototype pollution (CVE-ID: N/A)

The vulnerability allows a remote attacker to inject credentials and hijack requests.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.

Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.

2) Prototype pollution (CVE-ID: N/A)

The vulnerability allows a remote attacker to tamper with JSON API responses.

The vulnerability exists due to prototype pollution in parseReviver in lib/defaults/index.js when parsing JSON responses. A remote attacker can pollute Object.prototype.parseReviver via another vulnerable library in the dependency tree to tamper with JSON API responses.

Exploitation requires a separate prototype pollution source in the application's dependency tree.

Remediation

Install update from vendor's website.

References

• https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
• https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23
• https://github.com/advisories/GHSA-3w6x-2g7m-8v23