[
https://issues.apache.org/jira/browse/HDDS-13677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18024782#comment-18024782
]
Attila Doroszlai commented on HDDS-13677:
-----------------------------------------
[~abhishek.pal], CVE-2025-27152 is fixed in axios 0.30.0 (HDDS-12733, 2.0.0).
There is also CVE-2025-58754 fixed in axios 0.30.2 (HDDS-13746, master).
> [UI] Upgrade axios version to 1.8.2+ due to CVE-2025-27152
> ----------------------------------------------------------
>
> Key: HDDS-13677
> URL: https://issues.apache.org/jira/browse/HDDS-13677
> Project: Apache Ozone
> Issue Type: Task
> Components: Ozone Recon
> Affects Versions: 1.4.0, 2.0.0, 1.4.1, 2.1.0
> Reporter: Abhishek Pal
> Assignee: Abhishek Pal
> Priority: Critical
> Labels: pull-request-available
>
> *CVE-2025-27152:*
> axios is a promise based HTTP client for the browser and node.js. The issue
> occurs when passing absolute URLs rather than protocol-relative URLs to
> axios. Even if baseURL is set, axios sends the request to the specified
> absolute URL, potentially causing SSRF and credential leakage. This issue
> impacts both server-side and client-side usage of axios. This issue is fixed
> in 1.8.2.
> [https://nvd.nist.gov/vuln/detail/CVE-2025-27152]
> [https://security.snyk.io/vuln/SNYK-JS-AXIOS-9292519]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
