Skip to content

Fix CVEs by updating axios to patched versions#684

Merged
sbouchet merged 1 commit intoche-incubator:mainfrom
sbouchet:axios
Apr 16, 2026
Merged

Fix CVEs by updating axios to patched versions#684
sbouchet merged 1 commit intoche-incubator:mainfrom
sbouchet:axios

Conversation

@sbouchet
Copy link
Copy Markdown
Collaborator

@sbouchet sbouchet commented Apr 15, 2026

What does this PR do?

This PR fixes CVE-2025-62718 and CVE-2026-40175.

axios version is updated to 1.15.0

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10707
https://redhat.atlassian.net/browse/CRW-10709
https://redhat.atlassian.net/browse/CRW-10691
https://redhat.atlassian.net/browse/CRW-10693
https://redhat.atlassian.net/browse/CRW-10695

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet
Fix CVEs by updating axios to patched versions
e491d2b 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026
edited
Loading

Click here to review and test in web IDE: Contribute

@sbouchet sbouchet mentioned this pull request Apr 15, 2026
Open
3 tasks
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-684-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-684-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-684-dev-amd64

rgrunber
rgrunber approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@rgrunber rgrunber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change eliminates :

che-api

axios  <=1.14.0
Severity: critical
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@eclipse-che/workspace-telemetry-client/node_modules/axios
node_modules/axios
  @eclipse-che/workspace-telemetry-client  *
  Depends on vulnerable versions of axios
  node_modules/@eclipse-che/workspace-telemetry-client

che-remote

axios  <=1.14.0
Severity: critical
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix`
node_modules/axios

@sbouchet sbouchet merged commit 0e77fc7 into che-incubator:main Apr 16, 2026
27 of 32 checks passed
@sbouchet sbouchet deleted the axios branch April 16, 2026 08:21
RomanNikitenko
RomanNikitenko reviewed Apr 16, 2026
View reviewed changes
Comment thread code/extensions/che-api/package.json
"minimatch": "^3.1.5",
"handlebars": "4.7.9"
"handlebars": "4.7.9",
"axios": "^1.15.0"
Copy link
Copy Markdown
Collaborator

@RomanNikitenko RomanNikitenko Apr 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change forces the telemetry client's axios@^0.24.0 to resolve to 1.15.0
Overriding from Axios 0.24.0 to 1.15.0 is a significant version change and may introduce breaking changes(error types, FormData handling)

Please check if 0.31.0 can be used instead.

RomanNikitenko
RomanNikitenko reviewed Apr 16, 2026
View reviewed changes
Comment thread code/extensions/che-api/package-lock.json
}
},
"node_modules/@eclipse-che/workspace-telemetry-client/node_modules/axios": {
"version": "0.24.0",
Copy link
Copy Markdown
Collaborator

@RomanNikitenko RomanNikitenko Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please see #684 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomanNikitenko RomanNikitenko RomanNikitenko left review comments

@rgrunber rgrunber rgrunber approved these changes

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sbouchet @rgrunber @RomanNikitenko