[4.x]: upgrade vulnerable axios 0.27.2 #15448

d--j · 2024-07-31T13:25:54Z

What happened?

Description

axios 0.27.2 has these two vulnerabilities:

Please upgrade axios to 0.28.1

Line 36 in 4b05a2f

"axios": "^0.27.2",

At least GHSA-wf5p-g6vw-rhxx has been fixed in there. axios/axios#6131 has only been fixed in 1.6.3 but upgrading to this version would probably be a breaking change and it is "only" a ReDoS attack.

Steps to reproduce

Navigate to the following URL: https://example.com/admin/login
Open the browser's built in developer tools
Enter the following string into the JavaScript console: axios.VERSION
Note that the application includes a version of Axios 0.27.2 which has known security issues associated with it

Craft CMS version

4.10.7

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response

The text was updated successfully, but these errors were encountered:

Resolves #15448

brandonkelly · 2024-08-01T23:54:49Z

Thanks for reporting that! I’ve updated Axios to 0.28.1 for the next Craft 4 release. (Craft 5 is already running 1.6.5.)

d--j added bug craft4 labels Jul 31, 2024

brandonkelly added a commit that referenced this issue Aug 1, 2024

Axios 0.28.1

3013232

Resolves #15448

brandonkelly closed this as completed Aug 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[4.x]: upgrade vulnerable axios 0.27.2 #15448

[4.x]: upgrade vulnerable axios 0.27.2 #15448

d--j commented Jul 31, 2024

brandonkelly commented Aug 1, 2024

[4.x]: upgrade vulnerable axios 0.27.2 #15448

[4.x]: upgrade vulnerable axios 0.27.2 #15448

Comments

d--j commented Jul 31, 2024

What happened?

Description

Steps to reproduce

Craft CMS version

PHP version

Operating system and version

Database type and version

Image driver and version

Installed plugins and versions

brandonkelly commented Aug 1, 2024