Fix CVEs by updating axios to patched versions#684
Merged
sbouchet merged 1 commit intoche-incubator:mainfrom Apr 16, 2026
Merged
Fix CVEs by updating axios to patched versions#684sbouchet merged 1 commit intoche-incubator:mainfrom
sbouchet merged 1 commit intoche-incubator:mainfrom
Conversation
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
sbouchet
requested review from
RomanNikitenko,
azatsarynnyy,
rgrunber and
vitaliy-guliy
as code owners
|
Click here to review and test in web IDE: |
&message=Dev%20cluster%20(for%20maintainers)&logo=eclipseche&color=525C86&labelColor=FDB940)
3 tasks
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-684-amd64 |
rgrunber
approved these changes
Apr 15, 2026
Collaborator
rgrunber
left a comment
rgrunber
left a comment
There was a problem hiding this comment.
This change eliminates :
che-api
axios <=1.14.0
Severity: critical
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@eclipse-che/workspace-telemetry-client/node_modules/axios
node_modules/axios
@eclipse-che/workspace-telemetry-client *
Depends on vulnerable versions of axios
node_modules/@eclipse-che/workspace-telemetry-client
che-remote
axios <=1.14.0
Severity: critical
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix`
node_modules/axios
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR fixes CVE-2025-62718 and CVE-2026-40175.
axiosversion is updated to1.15.0What issues does this PR fix?
https://redhat.atlassian.net/browse/CRW-10707
https://redhat.atlassian.net/browse/CRW-10709
https://redhat.atlassian.net/browse/CRW-10691
https://redhat.atlassian.net/browse/CRW-10693
https://redhat.atlassian.net/browse/CRW-10695
How to test this PR?
Does this PR contain changes that override default upstream Code-OSS behavior?
git rebasewere added to the .rebase folder