Your dependencies cross-checked against the OSV vulnerability database.
-
Worth fixing GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
-
Worth fixing GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
-
Worth fixing GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
-
Worth fixing GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42039). Fix: Update that package to its patched version.
-
Worth fixing GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
-
Worth fixing GHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44490). Fix: Update that package to its patched version.
-
Worth fixing GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
-
Worth fixing GHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
-
Worth fixing GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
-
Worth fixing GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2025-27152). Fix: Update that package to its patched version.
-
Worth fixing GHSA-m7pr-hjqh-92cm Axios: no_proxy bypass via IP alias allows SSRF
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42038). Fix: Update that package to its patched version.
-
Worth fixing GHSA-p92q-9vqr-4j8v Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
-
Worth fixing GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
-
Worth fixing GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
-
Worth fixing GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
-
Worth fixing GHSA-vf2m-468p-8v99 Axios: HTTP adapter streamed responses bypass maxContentLength
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
-
Worth fixing GHSA-w9j2-pvgh-6h63 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42041). Fix: Update that package to its patched version.
-
Worth fixing GHSA-wf5p-g6vw-rhxx Axios Cross-Site Request Forgery Vulnerability
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2023-45857). Fix: Update that package to its patched version.
-
Worth fixing GHSA-xx6v-rp6x-q39c Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-42042). Fix: Update that package to its patched version.
-
Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
-
Worth fixing GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2024-21538). Fix: Update that package to its patched version.
-
Worth fixing GHSA-cxjh-pqwp-8mfp follow-redirects' Proxy-Authorization header kept across hosts
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2024-28849). Fix: Update that package to its patched version.
-
Worth fixing GHSA-jchw-25xp-jwwc Follow Redirects improperly handles URLs in the url.parse() function
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole (CVE-2023-26159). Fix: Update that package to its patched version.
-
Worth fixing GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
/workdirs/scan-9a15f6dc-071e-4737-af04-2ab8a7ac741c/yarn.lock
A package you depend on has a known security hole. Fix: Update that package to its patched version.