Skip to content

[Aikido] Fix 4 security issues in axios, fast-uri, aws-cdk-lib#1722

Open
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-60141872-wizb
Open

[Aikido] Fix 4 security issues in axios, fast-uri, aws-cdk-lib#1722
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-60141872-wizb

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Upgrade axios, fast-uri, and aws-cdk-lib to fix credential leakage on redirects, URL validation bypass, IDN canonicalization, and command injection vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes from either package upgrade affect this codebase:

axios (1.16.1 => 1.18.0): All validateStatus usages provide explicit functions rather than undefined, and all HTTP/HTTPS URLs are properly formatted with //.

aws-cdk-lib (2.257.0 => 2.260.0): The codebase does not use PCAConnectorAD resources, does not use Runtime.NODEJS_LATEST, and all Lambda handlers use async/await patterns rather than callback-style handlers.

All breaking changes by upgrading axios from version 1.16.1 to 1.18.1 (CHANGELOG)

Version Description
1.18.0
Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0
validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.

All breaking changes by upgrading aws-cdk-lib from version 2.257.0 to 2.260.0 (CHANGELOG)

Version Description
2.258.0
L1 resources for aws-pcaconnectorad: ConnectorArn property is now required for AWS::PCAConnectorAD::ServicePrincipalName
2.258.0
L1 resources for aws-pcaconnectorad: DirectoryRegistrationArn property is now required for AWS::PCAConnectorAD::ServicePrincipalName
2.258.0
L1 resources for aws-pcaconnectorad: GroupSecurityIdentifier property is now required for AWS::PCAConnectorAD::TemplateGroupAccessControlEntry
2.258.0
L1 resources for aws-pcaconnectorad: TemplateArn property is now required for AWS::PCAConnectorAD::TemplateGroupAccessControlEntry
2.259.0
Runtime.NODEJS_LATEST now resolves to nodejs24.x in every region; existing AWS::Lambda::Function resources will see Runtime change from nodejs22.x to nodejs24.x on next deploy, and Node.js 24 removes support for callback-style asynchronous handlers which will cause runtime errors for code still using callback-based handlers
✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2026-291630
HIGH
[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.
AIKIDO-2026-38469
MEDIUM
[axios] Malformed HTTP/HTTPS URLs without // (e.g., https:internal.example) were silently normalized instead of rejected, allowing attackers to bypass URL allowlists or WAF checks and reach unintended hosts. The fix now throws an error for invalid scheme URLs before normalization.
AIKIDO-2026-507986
HIGH
[fast-uri] A security bypass vulnerability exists in host canonicalization for Unicode/IDN values due to inconsistent ASCII/Unicode host handling, which could allow attackers to bypass security checks through improper host normalization.
AIKIDO-2026-577363
HIGH
[aws-cdk-lib] OS command injection vulnerability in Docker-based NodejsFunction bundling when using the nodeModules option allows attackers to inject shell commands through dependency version strings, leading to arbitrary code execution with the privileges of the CDK toolchain user.
🤖 Remediation details

Fix security vulnerabilities in axios, fast-uri, and aws-cdk-lib

This PR remediates security vulnerabilities in three packages — axios, fast-uri, and aws-cdk-lib — by bumping declared versions in workspace member package.json files and refreshing the root yarn.lock via Yarn Berry's lockfile-update mode. No resolutions overrides were required.

axios

axios was resolved at 1.16.1 as a transitive dependency of nx@20.8.4 (declared range ^1.8.3), which falls within the vulnerable range. Because nx's existing range already admitted 1.18.x, no manifest edit was needed; a yarn up -R axios --mode=update-lockfile lockfile refresh was sufficient to pull the resolved version up to 1.18.1. The two previously separate lockfile entries (axios@npm:^1.8.3 at 1.16.1 and axios@npm:^1.18.0 at 1.18.0) were consolidated into a single entry at 1.18.1.

fast-uri

fast-uri was resolved at 3.1.2 as a transitive dependency of ajv@8.18.0 (declared range ^3.0.1), placing it in the vulnerable range. The parent's existing range already permitted 3.1.3, so a yarn up -R fast-uri --mode=update-lockfile lockfile refresh was sufficient to advance the resolved version to 3.1.3 without any manifest change.

aws-cdk-lib

aws-cdk-lib was resolved at 2.257.0, within the vulnerable range, pulled in by three workspace packages — @aligent/cdk-domain-hosting, @aligent/cdk-esbuild, and @aligent/cdk-static-hosting — each declaring ^2.257.0. Because the lower bound of that range (2.257.0) is itself vulnerable, the declared spec in each workspace package.json was raised to ^2.260.0 to enforce a safe semver floor. A subsequent yarn install --mode=update-lockfile resolved the package to 2.260.0 and also updated the associated @aws-cdk/* asset and assembly packages that ship alongside each aws-cdk-lib release.

Version changes

Package From To Why updated
axios 1.16.1 1.18.1 Direct CVE fix — lockfile refresh; transitive via nx@^1.8.3
fast-uri 3.1.2 3.1.3 Direct CVE fix — lockfile refresh; transitive via ajv@^3.0.1
aws-cdk-lib 2.257.0 (^2.257.0) 2.260.0 (^2.260.0) Direct CVE fix — manifest spec floor raised in three workspace packages
@aws-cdk/asset-awscli-v1 2.2.273 2.2.282 Transitive after aws-cdk-lib bump
@aws-cdk/asset-node-proxy-agent-v6 2.1.1 2.1.2 Transitive after aws-cdk-lib bump
@aws-cdk/cloud-assembly-api 2.2.4 2.2.6 Transitive after aws-cdk-lib bump

@aikido-autofix aikido-autofix Bot requested a review from a team as a code owner July 3, 2026 23:44
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

⚠️ No Changeset Detected

This pull request modifies code that affects the following packages (detected by Nx):

Affected Packages:

  • @aligent/cdk-constructs

If this PR should trigger a release:

yarn changeset

Follow the prompts to select the affected packages and describe your changes.

If this PR should NOT trigger a release:

  • Documentation-only changes
  • Internal refactoring with no API changes
  • Test updates
  • Build/CI configuration changes
  • Changes only to root files (package.json, workflows, etc.)

In this case, no action is needed - this comment is just a reminder for reviewers.

This check uses Nx to accurately detect which packages are affected by your changes. If you're unsure whether a changeset is needed, please ask a maintainer!

🔧 Commands & Tips
# Add a changeset for your changes
yarn changeset

# Check which packages Nx thinks are affected
npx nx show projects --affected

# Check current changeset status
yarn changeset:status

# Add an empty changeset if no release needed
yarn changeset --empty

Pro tip: When running yarn changeset, select only the packages listed above that you actually changed the public API of.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants