Skip to content

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0#1715

Merged
AdamJHall merged 2 commits into
mainfrom
fix/aikido-security-update-packages-53842895-32tw
Jun 23, 2026
Merged

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0#1715
AdamJHall merged 2 commits into
mainfrom
fix/aikido-security-update-packages-53842895-32tw

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Upgrade axios to fix credential leakage on cross-origin redirects and malformed URL bypass vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes from the axios upgrade affect this codebase:

  1. Malformed URLs: The codebase does not construct malformed http: or https: URLs that omit //. All URL constructions follow proper format (e.g., `https://${FRONTEND_HOST}...`), and URLs from external sources (environment variables, SQS events) are expected to be well-formed.

  2. validateStatus: undefined: All three instances where validateStatus is used in the codebase explicitly provide a function value, not undefined. The breaking change only affects code that sets validateStatus: undefined, which does not occur in this codebase.

All breaking changes by upgrading axios from version 1.16.1 to 1.18.0 (CHANGELOG)

Version Description
1.18.0
Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0
validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.
✅ 2 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2026-291630
HIGH
[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.
AIKIDO-2026-38469
MEDIUM
[axios] Malformed HTTP/HTTPS URLs without // (e.g., https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.
🤖 Remediation details

Fix axios vulnerability in header-change-detection and prerender-proxy workspace packages

Short summary

This PR remediates two security vulnerabilities in the axios npm package (versions [0.19.1, 1.17.0] are affected). The vulnerable dependency appears as a direct dependency declared in two workspace member manifests — packages/constructs/header-change-detection/package.json and packages/constructs/prerender-proxy/package.json — and the resolved version in yarn.lock was updated accordingly.

axios

Both workspace packages declared "axios": "^1.16.0", which resolved to 1.16.1 in the lockfile — a version within the vulnerable range. The declared spec in each manifest was bumped to "^1.18.0" (the minimum patched version), and yarn.lock was refreshed via yarn install --mode=update-lockfile, causing Yarn Berry to resolve the entry to 1.18.0. No resolutions override was needed because the range change in the owning manifests was sufficient to pull in the patched release.

Version changes

Package From To Why updated
axios ^1.16.0 (resolved 1.16.1) ^1.18.0 (resolved 1.18.0) Direct CVE fix — declared spec bumped in both workspace manifests; lockfile refreshed

@aikido-autofix aikido-autofix Bot requested a review from a team as a code owner June 22, 2026 23:47
@github-actions

Copy link
Copy Markdown
Contributor

Changeset detected - Thanks for adding release notes!

@AdamJHall AdamJHall merged commit 00a7c94 into main Jun 23, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant