[Pkg-javascript-devel] Bug#1114963: marked as done (node-axios: CVE-2025-58754)

[Debian Bug Tracking System]

Your message dated Mon, 15 Sep 2025 09:42:11 +0200
with message-id <amfdu6xjvyyur...@eldamar.lan>
and subject line Re: Accepted node-axios 1.12.1+dfsg-1 (source) into unstable
has caused the Debian Bug report #1114963,
regarding node-axios: CVE-2025-58754
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1114963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-axios
Version: 1.11.0+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/axios/axios/pull/7011
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for node-axios.

CVE-2025-58754[0]:
| Axios is a promise based HTTP client for the browser and Node.js.
| When Axios prior to version 1.11.0 runs on Node.js and is given a
| URL with the `data:` scheme, it does not perform HTTP. Instead, its
| Node http adapter decodes the entire payload into memory
| (`Buffer`/`Blob`) and returns a synthetic 200 response. This path
| ignores `maxContentLength` / `maxBodyLength` (which only protect
| HTTP responses), so an attacker can supply a very large `data:` URI
| and cause the process to allocate unbounded memory and crash (DoS),
| even if the caller requested `responseType: 'stream'`. Version
| 1.11.0 contains a patch for the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-58754
    https://www.cve.org/CVERecord?id=CVE-2025-58754
[1] https://github.com/axios/axios/pull/7011
[2] https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
[3] 
https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-axios
Source-Version: 1.12.1+dfsg-1

On Sun, Sep 14, 2025 at 03:50:26PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 14 Sep 2025 17:25:38 +0200
> Source: node-axios
> Architecture: source
> Version: 1.12.1+dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Javascript Maintainers 
> <pkg-javascript-de...@lists.alioth.debian.org>
> Changed-By: Yadd <y...@debian.org>
> Changes:
>  node-axios (1.12.1+dfsg-1) unstable; urgency=medium
>  .
>    * Team upload
>    * New upstream version 1.12.1+dfsg
> Checksums-Sha1: 
>  2cfa6e6530bae0c90a33ebe8b95d56df7d0c0e60 2619 node-axios_1.12.1+dfsg-1.dsc
>  c4c897ab576ecac3ac9f04357f0683e226d3791e 336008 
> node-axios_1.12.1+dfsg.orig.tar.xz
>  5c28cc8504336b14a52e17f83f3b3cbddafa62f4 22592 
> node-axios_1.12.1+dfsg-1.debian.tar.xz
> Checksums-Sha256: 
>  b28d52f68b29ae4e33b3dc5369da81efd34c29bfc533b47b5a24df4e09fa4b2f 2619 
> node-axios_1.12.1+dfsg-1.dsc
>  d8fb3e87a2f125c4fa87519f50da7c20620876c479132ef636c8f04b00275ef5 336008 
> node-axios_1.12.1+dfsg.orig.tar.xz
>  d4070e47214a3c4ace92b7dd6aa26c420de18b47f2444c0f0ad07c527fbd6705 22592 
> node-axios_1.12.1+dfsg-1.debian.tar.xz
> Files: 
>  10e85879dd9af59a825ea85f2488c0b4 2619 javascript optional 
> node-axios_1.12.1+dfsg-1.dsc
>  5421503f2bc2a80f9bcfb10a1cf195b8 336008 javascript optional 
> node-axios_1.12.1+dfsg.orig.tar.xz
>  6995230989387ec03c6638e78f28d270 22592 javascript optional 
> node-axios_1.12.1+dfsg-1.debian.tar.xz
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmjG3sYACgkQ9tdMp8mZ
> 7umt9w//YXs6gXxiHvugXto8W+gK7iEBZzsTnmIhmL7e8nCeoxa/VWIGPoHzSYw3
> 9qBmgBHlM4L2WBb3jNRxsr5wpEURi/CAkAwaz625GoxiEpXGgTe3KsmyKtAwNS7c
> R/mMicIbisckGu3ktXwLx8dLsRawdxrVfR361cQuc4khAPGaYQJSfb9T1Ik8Tq/Y
> lN6Ss8ACMDq6qdP39SZI0IwA6E5qxAP6Va5EJhQ9PnQRSvDjOEEs3aBsyAt2JBYu
> 73CEOcnAZsftZUtsjn1YChaFSovZg85BZPBdtorMva9yd0GA7fDbiKKInyQn+P5S
> h1VxIvXRB6w7q/pjz4QsXOypwRWhrGltTLAV1151bb8K7baL5hf1hh7d8oA8TF98
> 7bFJO/luN5SSZ2Nedj+eIvflRlACM0txXC3T3fWXI1nB3epz0rZjhLnnhcic42u6
> M1GEpxol3FvzUdnxJ0Sp1xBK0GLHFjkDOa+eBGka5m3nQHssI/CcI6od6d60ScDv
> T2oOcTtnhBUY3bkf9JgO6MipLf3BunIe7GDx8RIBRuHNqkstQKlP+fZFmYnx3PGv
> jALMdcgbE+i0wk6V3RkCN/+wf7h10GYl+Js5yQurwwm7yXbGzX5gF+KYM5SkAYMv
> FPgOX41yXaKj/ug8y2pR4F0pkMAoK/1nVakJPwBd6Tb1KAbAF5g=
> =28+y
> -----END PGP SIGNATURE-----

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel