Skip to content

fix: backport DOS via __proto__ key in merge config fix to v0.x#7388

Merged
jasonsaayman merged 3 commits intoaxios:v0.xfrom
FeBe95:backport-dos-via-proto-key-in-merge-config
Feb 11, 2026
Merged

fix: backport DOS via __proto__ key in merge config fix to v0.x#7388
jasonsaayman merged 3 commits intoaxios:v0.xfrom
FeBe95:backport-dos-via-proto-key-in-merge-config

Conversation

@FeBe95
Copy link

@FeBe95 FeBe95 commented Feb 10, 2026
edited by cubic-dev-ai bot
Loading

Backports fix for GHSA-43fc-jf86-j433 on v1.x (#7369) to v0.x.

Summary by cubic

Backports the GHSA-43fc-jf86-j433 prototype pollution fix to v0.x by filtering dangerous keys during config merging. Prevents DoS via proto/constructor/prototype and aligns v0.x with the v1.x behavior.

Description

  • Filter "proto", "constructor", and "prototype" in utils.merge and core/mergeConfig.
  • In mergeConfig, use utils.hasOwnProperty(mergeMap, prop) when choosing the merge strategy to avoid prototype-chain lookups.
  • No breaking changes for valid configs.

Testing

  • Added test/unit/core/prototypePollution.js covering top-level and nested dangerous keys, deeply nested objects, JSON.parse payloads, headers, custom props, and normal merge behavior.
  • Tests use require() (CommonJS) to match v0.x.
  • No changes to existing tests.

Written for commit a615fe5. Summary will update on new commits.

@FeBe95
Copy link
Author

FeBe95 commented Feb 10, 2026

running tests locally, 1 test fails

 86 passing (4s)
  1 failing

  1) supports http with nodejs
       should support max content length:

      Uncaught AssertionError [ERR_ASSERTION]: 'Request failed with status code 400' == 'maxContentLength size of 2000 exceeded'
      + expected - actual

      -Request failed with status code 400
      +maxContentLength size of 2000 exceeded
      
      at Timeout._onTimeout (test\unit\adapters\http.js:501:16)
      at listOnTimeout (node:internal/timers:608:17)
      at process.processTimers (node:internal/timers:543:7)

the same test fails on the v0.x branch

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Confidence score: 4/5

  • Minor risk: the __proto__ tests in test/unit/core/prototypePollution.js may not actually exercise own-property filtering because object literals treat __proto__ as prototype assignment, so the test could give a false sense of coverage.
  • This looks like a low-severity testing concern (4/10, low confidence), so the change appears safe to merge with minimal risk.
  • Pay close attention to test/unit/core/prototypePollution.js - ensure the __proto__ filtering behavior is truly validated.
Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="test/unit/core/prototypePollution.js">

<violation number="1" location="test/unit/core/prototypePollution.js:17">
P2: Tests attempt to verify `__proto__` filtering using object literals, but `__proto__` in object literals sets the prototype instead of creating an own property. As a result, the merge/filtering logic for `__proto__` is not actually exercised, leaving prototype-pollution protection untested in these cases.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@jasonsaayman jasonsaayman changed the title Backport DOS via __proto__ key in merge config fix to v0.x fix: backport DOS via __proto__ key in merge config fix to v0.x Feb 11, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Feb 11, 2026
jasonsaayman
jasonsaayman approved these changes Feb 11, 2026
View reviewed changes
Copy link
Member

@jasonsaayman jasonsaayman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks looking good

@jasonsaayman
Copy link
Member

jasonsaayman commented Feb 11, 2026

@FeBe95 im going to merge this and will then look to release soonish. i need to fix the ci etc to actually release this and keep v0.x working correctly / better which i will all try get done this week

@jasonsaayman jasonsaayman merged commit d7ff140 into axios:v0.x Feb 11, 2026
7 of 8 checks passed
@gbhasha
Copy link

gbhasha commented Feb 17, 2026

@jasonsaayman could you share the ETA on release update on v0.x with this fix?

@FeBe95 FeBe95 deleted the backport-dos-via-proto-key-in-merge-config branch February 18, 2026 17:19
@FeBe95 FeBe95 mentioned this pull request Feb 18, 2026
Closed
@FeBe95
Copy link
Author

FeBe95 commented Feb 18, 2026

@gbhasha Version 0.30.3 has just been released!

@VikramSingh1994
Copy link

VikramSingh1994 commented Feb 19, 2026
edited
Loading

Hi @FeBe95 , @jasonsaayman
First, thank you for addressing the recent security vulnerability in v1.13.5 — we appreciate the quick turnaround on that fix.

Many enterprise projects are still dependent on the 0.x line. Are there any plans to fully address this issue and clear all related vulnerabilities in the 0.x branch as well (including v0.30.3)?

We’re currently seeing security scanners continue to flag the 0.x version, so clarification on the maintenance and support plan for 0.x would be very helpful.

Thanks in advance.

Refs:https://security.snyk.io/package/npm/axios/0.30.3

ss32323

@FeBe95
Copy link
Author

FeBe95 commented Feb 19, 2026
edited
Loading

Hey @VikramSingh1994 :)

Are there any plans to fully address this issue and clear all related vulnerabilities in the 0.x branch.

The vulnerability was fixed in version 0.30.3 of axios. That's exactly what this PR (and the linked release) was all about.

We’re currently seeing security scanners continue to flag the 0.x version

I have never used Snyk myself, but I guess that they are showing outdated vulnerability information then. They probably automatically flagged version 0.30.3 as vulnerable (after its release), because the affected version list still simply says "every version < 1.13.5 is affected".

Note that the NPM registry (for npm audit) is fetching data from the GitHub advisory database, GHSA-43fc-jf86-j433 in this case. For NPM to pick up the fix, I had to manually propose the new affected version ranges over there.

The affected version ranges should look like this now:

>= 1.0.0, <= 1.13.4
<= 0.30.2

The GitHub advisory database allows everyone to propose changes via the "Suggest improvements for this vulnerability" link on each page. Snyk does the same via the "Found a mistake?" button. You have to have an account for this though, which I don't have. Feel free to make them aware of the fixed vulnerability in version 0.30.3 by clicking the button and contacting their support.

https://security.snyk.io/vuln/SNYK-JS-AXIOS-15252993

grafik

@jasonsaayman
Copy link
Member

jasonsaayman commented Feb 20, 2026

i adjusted the advisory so it should pull through. i think i will implement making the fix in both branches and releasing before completing the CVE thanks

image

@jasonsaayman
Copy link
Member

jasonsaayman commented Feb 20, 2026

@VikramSingh1994 if the issue still shows up in like a day or two pls reach out and i can chat with SYNK / github sec team

@FeBe95
Copy link
Author

FeBe95 commented Feb 20, 2026
edited
Loading

Snyk seems to have updated their page. The H(igh) vulnerability in 0.30.3 is gone now.

grafik

@jasonsaayman They are still showing a M(edium) vulnerability in 0.30.3 though, which I fixed back in September last year.

I saw that the GitHub advisory database lists the correct version ranges, while the advisory in this repository wasn't updated. And it also says < 1.11.0 while it should say <= 1.11.0 (or < 1.12.0).

Could you please update this as well? Maybe Snyk is taking the latter one as a source for their CVE details.

grafik

vs.

grafik

@jasonsaayman
Copy link
Member

jasonsaayman commented Feb 22, 2026

done

This was referenced Feb 23, 2026
Closed
Closed
This was referenced Feb 23, 2026
Closed
Closed
This was referenced Feb 23, 2026
Closed
Closed
@VikramSingh1994
Copy link

VikramSingh1994 commented Feb 23, 2026

Thanks @FeBe95 @jasonsaayman ,
Its has been fixed and High vulnerability mark has been removed from this version.
Thanks.
ss434322

@wfk007
Copy link

wfk007 commented Feb 24, 2026

How about define mergeMap with Object.create(null)?

@commercelayer-ci commercelayer-ci mentioned this pull request Mar 7, 2026
Closed
Copilot AI mentioned this pull request Mar 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jasonsaayman jasonsaayman jasonsaayman approved these changes

Assignees

@FeBe95 FeBe95

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@FeBe95 @jasonsaayman @gbhasha @VikramSingh1994 @wfk007