Skip to content

[Aikido] Fix 4 security issues in @babel/traverse, aws-sdk, @actions/core#1

Open
aikido-autofix[bot] wants to merge 1 commit intomasterfrom
fix/aikido-security-update-packages-18842181-7lzt
Open

[Aikido] Fix 4 security issues in @babel/traverse, aws-sdk, @actions/core#1
aikido-autofix[bot] wants to merge 1 commit intomasterfrom
fix/aikido-security-update-packages-18842181-7lzt

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Mar 10, 2026
edited
Loading

Upgrade dependencies to fix remote code execution in Babel compilation, prototype pollution in XML parsing, and environment variable injection vulnerabilities in GitHub Actions.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
AIKIDO-2025-10745
 
MEDIUM
 [@babel/traverse] A vulnerability allows remote code execution during compilation when processing malicious input with certain plugins that use internal evaluation methods. This affects plugins like @babel/plugin-transform-runtime and @babel/preset-env with useBuiltIns option. 
CVE-2023-0842
 
MEDIUM
 [xml2js] version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited. 
CVE-2020-15228
 
MEDIUM
 [@actions/core] Untrusted data logged to stdout can be interpreted as runner commands, allowing attackers to modify environment variables and PATH without authorization. This enables arbitrary code execution through workflow manipulation. 
CVE-2022-35954
 
MEDIUM
 [@actions/core] The core.exportVariable function uses a predictable delimiter that attackers can exploit to break out of variables and assign arbitrary values to other environment variables, potentially modifying the path or other critical variables. This allows arbitrary environment variable injection when untrusted values are written to GITHUB_ENV.

aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Mar 10, 2026
View reviewed changes
package-lock.json
Copy link

@aikido-pr-checks aikido-pr-checks bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2026-22036 in undici - high severity
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Details

Remediation Aikido suggests bumping this package to version 6.23.0 to resolve this issue

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants