Skip to content

Axios dependency contains known security vulnerabilities (GHSA-43fc-jf86-j433, GHSA-3p68-rc4w-qgx5, GHSA-fvcv-3m26-pcqx) #715

Open
Open
Axios dependency contains known security vulnerabilities (GHSA-43fc-jf86-j433, GHSA-3p68-rc4w-qgx5, GHSA-fvcv-3m26-pcqx)#715
Labels
bugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.
@gustavolzangelo

Description

@gustavolzangelo
gustavolzangelo
opened on Apr 21, 2026

Describe the bug

The current axios dependency (^1.12.2, resolved to 1.12.2) contains three known security vulnerabilities:

Advisory Severity Description
GHSA-43fc-jf86-j433 High (CVSS 7.5) Denial of Service via __proto__ key in mergeConfig — affects >=1.0.0 <=1.13.4
GHSA-3p68-rc4w-qgx5 Moderate (CVSS 4.8) NO_PROXY hostname normalization bypass leading to SSRF — affects >=1.0.0 <1.15.0
GHSA-fvcv-3m26-pcqx Moderate (CVSS 4.8) Unrestricted cloud metadata exfiltration via header injection chain — affects >=1.0.0 <1.15.0

Since aws-crt-nodejs is a transitive dependency of aws-sdk and aws-sdk-v3, these vulnerabilities are inherited by all downstream consumers. This is also related to #607.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

The axios dependency should be pinned to a version that has no known security vulnerabilities (>=1.15.1).

Current Behavior

Running npm audit on a project that depends on aws-crt-nodejs reports:

axios  >=1.0.0
Severity: high/moderate
- Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
- Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Reproduction Steps

git clone https://github.com/awslabs/aws-crt-nodejs.git
cd aws-crt-nodejs
npm install --ignore-scripts
npm audit

Possible Solution

Update the axios version in both dependencies and overrides in package.json from ^1.12.2 to ^1.15.1, which is the first version that resolves all three vulnerabilities.

Additional Information/Context

  • npm audit confirms no axios vulnerabilities after updating to 1.15.1.
  • A fix for this is ready as a pull request.
  • Long-term, issue Replace axios with built-in alternatives #607 proposes replacing axios entirely with built-in Node.js alternatives.

aws-crt-nodejs version used

1.21.0 (latest release)

nodejs version used

v20.9.0

Operating System and version

Ubuntu 20.04.5 LTS

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions