feat(pen): upgraded axios #6530

milan-bc · 2025-04-03T11:36:51Z

Description (optional)

Add a concise explanation of the changes.

Testing Steps (optional)

Detail the steps required for the reviewer(s) to verify and test these changes.

sstephanou-bc · 2025-04-03T12:23:02Z

Checkmarx One – Scan Summary & Details – 035a0085-1ca1-4868-9b4e-e2c2a7ebe4e0

New Issues (26)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
Cx88b46a98-47a5	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-12905	Npm-tar-fs-2.1.1	details Recommended version: 2.1.2 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2025-27152	Npm-axios-0.21.1	details Recommended version: 0.30.0 Description: Axios is a promise-based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
Client_DOM_XSS	/packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx: 199	details The method Lambda embeds untrusted data in generated output with href, at line 249 of /packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx. T... Attack Vector
Client_DOM_XSS	/packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx: 199	details The method Lambda embeds untrusted data in generated output with href, at line 249 of /packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx. T... Attack Vector
Client_DOM_XSS	/packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx: 195	details The method Lambda embeds untrusted data in generated output with href, at line 249 of /packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx. T... Attack Vector
Client_DOM_XSS	/packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx: 195	details The method Lambda embeds untrusted data in generated output with href, at line 249 of /packages/blockchain-wallet-v4-frontend/src/scenes/app.tsx. T... Attack Vector
CVE-2024-11831	Npm-serialize-javascript-5.0.1	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-11831	Npm-serialize-javascript-6.0.0	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-11831	Npm-serialize-javascript-4.0.0	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-53382	Npm-prismjs-1.25.0	details Recommended version: 1.30.0 Description: Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), bec... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
CVE-2024-53382	Npm-prismjs-1.17.1	details Recommended version: 1.30.0 Description: Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), bec... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
CVE-2024-53382	Npm-prismjs-1.24.1	details Recommended version: 1.30.0 Description: Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), bec... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
CVE-2024-55565	Npm-nanoid-3.3.4	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-57556	Npm-store2-2.12.0	details Recommended version: 2.14.4 Description: Cross-site scripting vulnerability in nbubna store allows a remote attacker to execute arbitrary code via the "store.deep.js" component. This issue... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2025-22150	Npm-undici-5.21.0	details Recommended version: 5.28.5 Description: Undici is an HTTP/1.1 client. In affected versions, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is kno... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
CVE-2025-25288	Npm-@octokit/plugin-paginate-rest-6.1.2	details Recommended version: 9.2.2 Description: The package @octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. In versions through 9.2.1 and 9.3.0-beta.1... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2025-25289	Npm-@octokit/request-error-3.0.3	details Recommended version: 5.1.1 Description: The package @octokit/request-error is an error class for Octokit request errors. A Regular Expression Denial of Service (ReDoS) vulnerability exist... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2025-25290	Npm-@octokit/request-6.2.8	details Recommended version: 8.4.1 Description: @octokit/request sends parameterized requests to GitHub's APIs with sensible defaults in browsers and Node. Starting in versions 1.0.0 through 8.4.... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2025-26791	Npm-dompurify-2.3.6	details Recommended version: 3.2.4 Description: DOMPurify versions prior to 3.2.4 has an incorrect template literal regular expression, sometimes leading to Mutation Cross-Site Scripting (mXSS). Attack Vector: LOCAL Attack Complexity: HIGH Exploitable Path: sanitize@.../TermsAndConditions/index.tsx - ... - sanitize@/package/dist/purify.min.js Vulnerable Package
CVE-2025-27789	Npm-@babel/runtime-corejs3-7.15.4	details Recommended version: 7.26.10 Description: Babel is a compiler for writing next-generation JavaScript. In affected versions of Babel, to compile regular expressions named capturing groups, B... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
CVE-2025-27789	Npm-@babel/helpers-7.15.4	details Recommended version: 7.26.10 Description: Babel is a compiler for writing next-generation JavaScript. In affected versions of Babel, to compile regular expressions named capturing groups, B... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
CVE-2025-27789	Npm-@babel/helpers-7.17.9	details Recommended version: 7.26.10 Description: Babel is a compiler for writing next-generation JavaScript. In affected versions of Babel, to compile regular expressions named capturing groups, B... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
Unsafe_Use_Of_Target_blank	/packages/blockchain-wallet-v4-frontend/src/modals/Brokerage/Banks/Deposit/WireInstructions/ActionFooter.tsx: 27	details Using target at line 27 of /packages/blockchain-wallet-v4-frontend/src/modals/Brokerage/Banks/Deposit/WireInstructions/ActionFooter.tsx, without co... Attack Vector
Unsafe_Use_Of_Target_blank	/packages/blockchain-wallet-v4-frontend/src/modals/BuySell/BankWireDetails/ActionFooter.tsx: 22	details Using target at line 22 of /packages/blockchain-wallet-v4-frontend/src/modals/BuySell/BankWireDetails/ActionFooter.tsx, without correctly setting t... Attack Vector

Fixed Issues (136)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-10707~~	Npm-jquery-1.11.1
	~~Cx89601373-08db~~	Npm-debug-3.2.7
	~~Cx89601373-08db~~	Npm-debug-2.6.9
	~~CVE-2020-11022~~	Npm-jquery-1.11.1
	~~Client_HTML5_Store_Sensitive_data_In_Web_Storage~~	/packages/blockchain-wallet-v4/src/network/api/wallet/index.ts: 74
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/wallet-import.js: 245
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/import-export.js: 799
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/wallet.js: 2995
	~~Client_Privacy_Violation~~	/legacy-pages/js/mnemonic/mnemonic.js: 358
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/wallet.min.js: 2443
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/import-export.js: 799
	~~Client_Privacy_Violation~~	/legacy-pages/js/import/import-export.js: 799
	~~Cx14b19a02-387a~~	Npm-body-parser-1.19.0
	~~SSRF~~	/packages/blockchain-wallet-v4-frontend/src/data/analytics/analytics.ts: 10
	~~SSRF~~	/packages/blockchain-wallet-v4-frontend/src/middleware/analyticsMiddleware/analytics.ts: 10
	~~Client_DOM_Open_Redirect~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Nfts/components/TraitGridFilters.tsx: 122
	~~Client_DOM_Open_Redirect~~	/legacy-pages/js/shared.js: 707
	~~Client_DOM_Open_Redirect~~	/legacy-pages/js/import/wallet.js: 4690
	~~Client_DOM_Open_Redirect~~	/legacy-pages/js/import/wallet.min.js: 3769
	~~Client_DOM_Open_Redirect~~	/legacy-pages/js/wallet-index.js: 75
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet-import.js: 118
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet-import.js: 117
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/shared.js: 18
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/mnemonic/wallet-forgot-password.js: 12
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/mnemonic/mnemonic.js: 436
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 3802
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 3579
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 2845
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 2844
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 2099
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.min.js: 1149
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 4728
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 4480
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 3515
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 3514
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 2614
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/wallet.js: 1470
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/import-export.js: 303
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/import-export.js: 302
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/import-export.js: 177
	~~Client_JQuery_Deprecated_Symbols~~	/legacy-pages/js/import/import-export.js: 108
	~~Client_Password_In_Comment~~	/packages/blockchain-wallet-v4-frontend/src/data/components/dex/sagas.ts: 463
	~~Missing_CSP_Header~~	/packages/blockchain-wallet-v4-frontend/webpackBuilder.js: 317
	~~Unprotected_Cookie~~	/packages/blockchain-wallet-v4-frontend/src/data/modules/profile/sagas.ts: 266
	~~Unprotected_Cookie~~	/packages/blockchain-wallet-v4-frontend/src/data/misc/sagas.ts: 75
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Banner/SofiBanner/index.tsx: 36
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Flyout/Brokerage/OrderSummary.tsx: 227
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 32
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 45
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 67
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 84
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 105
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 139
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/components/Terms/index.tsx: 156
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/layouts/Auth/components/Footer/Help/index.tsx: 11
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/layouts/Auth/components/Footer/Version/index.tsx: 12
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/BuySell/OrderSummary/InterestBanner/template.success.tsx: 40
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/Earn/Interest/DepositForm/template.success.tsx: 240
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/Sofi/MigratedBalances/template.noassets.tsx: 38
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/Swap/SuccessfulSwap/index.tsx: 174
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/Wallet/InterestPromo/template.tsx: 81
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Dex/Swap/NoTokenBalances/index.tsx: 73
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Earn/index.tsx: 127
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Home/Banners/ActiveRewardsBanner/ActiveRewardsBanner.template.tsx: 51
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Home/Banners/StakingBanner/StakingBanner.template.tsx: 46
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Settings/General/About/index.tsx: 28
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Settings/General/PrivacyPolicy/index.tsx: 31
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/scenes/Settings/General/TermsOfService/index.tsx: 31
	~~Unsafe_Use_Of_Target_blank~~	/packages/blockchain-wallet-v4-frontend/src/modals/Wallet/RecommendedSweep/template.error.tsx: 35

More results are available on the CxOne platform

feat(pen): upgraded axios

4b85e56

milan-bc self-assigned this Apr 3, 2025

milan-bc requested review from CTucker-BC, TheLeoB, dkremniov-bc, jhagerman-bc, mperdomo-bc and mrodriguez-bc as code owners April 3, 2025 11:36

pgarvin-bc approved these changes Apr 3, 2025

View reviewed changes

milan-bc merged commit 8bcd917 into development Apr 9, 2025
1 of 2 checks passed

milan-bc deleted the feat/IVM-555-upgrade-version branch April 9, 2025 13:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(pen): upgraded axios #6530

feat(pen): upgraded axios #6530

Uh oh!

milan-bc commented Apr 3, 2025

Uh oh!

sstephanou-bc commented Apr 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

feat(pen): upgraded axios #6530

feat(pen): upgraded axios #6530

Uh oh!

Conversation

milan-bc commented Apr 3, 2025

Description (optional)

Testing Steps (optional)

Uh oh!

sstephanou-bc commented Apr 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants