Skip to content

AAP-64120: fix CVE-2025-13465 prototype pollution.#1833

Merged
omaciel merged 2 commits intomainfrom
omaciel-CVE-2025-13465
Feb 5, 2026
Merged

AAP-64120: fix CVE-2025-13465 prototype pollution.#1833
omaciel merged 2 commits intomainfrom
omaciel-CVE-2025-13465

Conversation

@omaciel
Copy link
Contributor

@omaciel omaciel commented Feb 5, 2026

Jira Issue: https://issues.redhat.com/browse/AAP-64120

Description

Bumped lodash to 4.17.23.

Testing

Steps to test

  1. Pull down the PR
  2. ...
  3. ...

Type of Change

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to break)
  • Security fix
  • Performance improvement
  • Code refactoring
  • Documentation update
  • CI/CD update

Backport Policy

This change should be:

  • Not backported - main/master only
  • Backported to specific releases (add labels after merge)

Automated Backport Instructions

After this PR is merged, add one or more labels to automatically create backport PRs:

  • backport/stable-2.4 - Backport to stable-2.4 branch
  • backport/stable-2.5 - Backport to stable-2.5 branch
  • backport/stable-2.6 - Backport to stable-2.6 branch
  • backport/all - Backport to all active stable branches
  • no-backport - Explicitly mark as not needing backport

Backport Justification

Special backport considerations:

Scenarios tested

Production deployment

  • This code change is ready for production on its own
  • This code change requires the following considerations before going to production:

@github-actions
Copy link

github-actions bot commented Feb 5, 2026 

# npm audit report

@remix-run/router  <=1.23.1
Severity: high
React Router vulnerable to XSS via Open Redirects - https://github.com/advisories/GHSA-2w69-qvjg-hvjx
fix available via `npm audit fix`
node_modules/@remix-run/router
  react-router  6.0.0 - 6.30.2
  Depends on vulnerable versions of @remix-run/router
  node_modules/react-router
    react-router-dom  6.0.0-alpha.0 - 6.30.2
    Depends on vulnerable versions of @remix-run/router
    Depends on vulnerable versions of react-router
    node_modules/react-router-dom

jsonpath  <1.2.0
Severity: moderate
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js - https://github.com/advisories/GHSA-6c59-mwgh-r2x6
fix available via `npm audit fix`
node_modules/jsonpath


webpack  5.49.0 - 5.104.0
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - https://github.com/advisories/GHSA-8fgc-7cc6-rx7x
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence - https://github.com/advisories/GHSA-38r7-794h-5758
fix available via `npm audit fix`
node_modules/webpack

5 vulnerabilities (1 low, 1 moderate, 3 high)

To address all issues, run:
  npm audit fix

acosferreira
acosferreira approved these changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@acosferreira acosferreira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@omaciel omaciel merged commit e194c4a into main Feb 5, 2026
12 checks passed
@omaciel omaciel deleted the omaciel-CVE-2025-13465 branch February 5, 2026 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acosferreira acosferreira acosferreira approved these changes

@de1987 de1987 de1987 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@omaciel @acosferreira @de1987

Comments