wcmolin opened a new issue, #18255:
URL: https://github.com/apache/dolphinscheduler/issues/18255

   ### Search before asking
   
   - [X] I had searched in the 
[issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and 
found no similar issues.
   
   ### What happened
   
   `dolphinscheduler-ui/package.json` depends on axios `^0.27.2` (locked at 
0.27.2), which is affected by CVE-2026-40175 (CVSS 9.9, Critical).
   
   **Details:**
   - **Advisory**: https://github.com/advisories/GHSA-fvcv-3m26-pcqx
   - **Patched version**: axios >= 1.15.0
   
   Axios versions prior to 1.15.0 do not validate HTTP header values for CRLF 
characters. In environments where prototype pollution can occur (e.g., via a 
vulnerable third-party dependency), this flaw could be exploited for request 
smuggling, cloud metadata exfiltration, or remote code execution. It is 
recommended to upgrade axios to `^1.15.0` to address this known vulnerability.
   
   ### What you expected to happen
   
   Upgrade axios to `^1.15.0`.
   
   ### Anything else
   
   Upgrading from 0.x to 1.x is a major version bump and may introduce breaking 
changes. UI functionality should be verified after the upgrade.
   
   ### Version
   
   dev
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to