Skip to content

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0 in with-web3-onboard#39

Merged
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55968450-vu2t
Jun 26, 2026
Merged

[Aikido] Fix security issue in axios via minor version upgrade from 1.16.1 to 1.18.0 in with-web3-onboard#39
yosriady merged 1 commit into
mainfrom
fix/aikido-security-update-packages-55968450-vu2t

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Upgrade axios to fix credential leakage vulnerability where custom headers containing API keys and tokens are exposed during cross-origin redirects.

⚠️ Breaking changes in this upgrade

All breaking changes by upgrading axios from version 1.16.1 to 1.18.0 (CHANGELOG)

Version Description
1.18.0
Malformed http: and https: URLs that omit // are now rejected with ERR_INVALID_URL, whereas they may have been accepted previously.
1.18.0
validateStatus: undefined behavior changed to require opt-in via transitional.validateStatusUndefinedResolves to be treated like the option was omitted; without the opt-in, the behavior differs from previous versions.
✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2026-291630
HIGH
[axios] Cross-origin redirects leak custom credential headers like X-API-Key and AWS tokens to unintended hosts, allowing attackers to steal sensitive authentication data. This information disclosure vulnerability affects shared environments where secret headers are set by default.

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@socket-security

Copy link
Copy Markdown

Dependency limit exceeded — report not shown.

This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report.

Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard.

Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account.

@yosriady yosriady merged commit eac9e7d into main Jun 26, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant