Upgrade axios to 1.6.3 SNYK-JS-AXIOS-6124857

Question

Upgrade axios to 1.6.3 SNYK-JS-AXIOS-6124857

helzahalim opened this issue 6 months ago · comments

Snyk vulnerability SNYK-JS-AXIOS-6124857

Affected versions of Axios of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of O(n^2). This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

Packages:

Select all that apply:

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

Ashley · Answer 1 · Fri Dec 29 2023 22:14:49 GMT+0800 (China Standard Time)

Hi, @helzahalim! thanks for flagging this! 🙌

I have opened a PR to upgrade web-api's Axios version here: #1710

Feel free to take a look! I will also keep an eye on the PR to make sure all the tests pass for web-api with the version upgrade.

Helza Halim · Answer 2 · Fri Dec 29 2023 22:26:48 GMT+0800 (China Standard Time)

Thanks alot @hello-ashleyintech !

Fil Maj · Answer 3 · Wed Jan 03 2024 03:42:57 GMT+0800 (China Standard Time)

This has been released in web-api@6.11.1.