Skip to content

Backport maxContentLength vulnerability fix to v0.x#7034

Merged
jasonsaayman merged 6 commits intoaxios:v0.xfrom
FeBe95:backport-maxContentLength-fix
Sep 16, 2025
Merged

Backport maxContentLength vulnerability fix to v0.x#7034
jasonsaayman merged 6 commits intoaxios:v0.xfrom
FeBe95:backport-maxContentLength-fix

Conversation

@FeBe95
Copy link

@FeBe95 FeBe95 commented Sep 15, 2025

Backports fix for GHSA-4hjh-wcwx-xvwj on v1.x (#7011) to v0.x.

@FeBe95 FeBe95 marked this pull request as draft September 15, 2025 12:09
@FeBe95 FeBe95 marked this pull request as ready for review September 15, 2025 12:12
@FeBe95 FeBe95 mentioned this pull request Sep 15, 2025
Closed
@jasonsaayman jasonsaayman merged commit a1b1d3f into axios:v0.x Sep 16, 2025
3 of 7 checks passed
@mayonfrancis
Copy link

mayonfrancis commented Sep 18, 2025
edited
Loading

Thanks @FeBe95 for the fix! Will there be a release in npm for this?

@rai-gondim-vindi
Copy link

rai-gondim-vindi commented Sep 23, 2025

@jasonsaayman Is there any forecast for the new release tag 0.30.2?

@tstackhouse
Copy link

tstackhouse commented Sep 23, 2025

Looks like the latest CI build on the 0.x branch failed after this was merged: https://github.com/axios/axios/actions/runs/17768941147

@FeBe95
Copy link
Author

FeBe95 commented Sep 23, 2025

@tstackhouse Yes, this CI run failed, but only due to some code style rule violations. This shouldn't prevent the maintainers from releasing a new 0.x version.

@jasonsaayman
Copy link
Member

jasonsaayman commented Sep 26, 2025

i will try get to the release today, sorry its quite a manual process which i will try improve

@FeBe95
Copy link
Author

FeBe95 commented Sep 27, 2025

Version 0.30.2 has been released just now:

@maikelvdh maikelvdh mentioned this pull request Sep 29, 2025
Closed
@FeBe95
Copy link
Author

FeBe95 commented Sep 29, 2025

Update: The GitHub Advisory Database was updated to reflect the affected versions. It now lists 0.30.2 as patched.

Note

Unfortunately, the npm registry hasn't caught up yet, so npm audit still lists 0.30.2 as vulnerable.

curl -s  https://registry.npmjs.org/-/npm/v1/security/advisories/bulk --json '{"axios": ["0.30.2"]}'
{
    "axios": [
        {
            "id": 1107599,
            "url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
            "title": "Axios is vulnerable to DoS attack through lack of data size check",
            "severity": "high",
            "vulnerable_versions": "<1.12.0",
            "cwe": [
                "CWE-770"
            ],
            "cvss": {
                "score": 7.5,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            }
        }
    ]
}

@github-actions github-actions bot mentioned this pull request Sep 30, 2025
Open
@FeBe95
Copy link
Author

FeBe95 commented Oct 5, 2025

One final update on this: The NPM registry has been updated. If you have version 0.30.2 installed, the npm audit command will no longer show Axios as vulnerable.

@gardera-security gardera-security bot mentioned this pull request Oct 22, 2025
Open
This was referenced Oct 27, 2025
Closed
Open
@zhonglin88 zhonglin88 mentioned this pull request Jan 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@FeBe95 @mayonfrancis @rai-gondim-vindi @tstackhouse @jasonsaayman