Skip to content

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0#16

Merged
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-61698613-azxp
Jul 7, 2026
Merged

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0#16
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-61698613-azxp

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Upgrade axios to fix credential leakage vulnerability where custom headers containing API keys and tokens are exposed during cross-origin redirects.

⚠️ Breaking changes in this upgrade

All breaking changes by upgrading axios from version 1.16.1 to 1.18.0 (CHANGELOG)

Version Description
1.18.0
Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0
validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.
✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2026-291630
HIGH
[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedaxios@​1.18.09710010094100

View full report

@yosriady yosriady merged commit 2f87ad3 into main Jul 7, 2026
6 checks passed
@yosriady yosriady deleted the fix/aikido-security-update-packages-61698613-azxp branch July 7, 2026 02:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant