Nezuko Agent 140a17944a fix: guard socketPath with own() to prevent prototype pollution SSRF (#10901) ...

* fix: guard socketPath with own() to prevent prototype pollution SSRF

CVE-2026-42264 fix introduced the own() helper to guard config reads,
but socketPath and allowedSocketPaths were missed. An attacker who can
pollute Object.prototype.socketPath (via another dependency) can
redirect all axios requests to a Unix socket (e.g. Docker daemon),
enabling SSRF and container escape.

Fix: use own('socketPath') and own('allowedSocketPaths') instead of
direct config property access.

Ref: GHSA-72mg-mc2j-cwf6
Fixes: CVE-2026-42264 (complete)

* docs: add socketPath security release note

---------

Co-authored-by: Jay <jasonsaayman@gmail.com>

2026-05-24 19:05:48 +02:00

..

adapters

fix: guard socketPath with own() to prevent prototype pollution SSRF (#10901)

2026-05-24 19:05:48 +02:00

cancel

feat: implement prettier and fix all issues (#7385)

2026-02-14 16:59:48 +02:00

core

fix(headers): silently skip empty header names instead of throwing (#10875)

2026-05-22 20:33:18 +02:00

defaults

feat(http): add zstd decompression support (#10920)

2026-05-20 18:30:26 +02:00

env

chore(release): prepare release 1.16.1 (#10877)

2026-05-13 18:11:40 +02:00

helpers

fix: clear RN FormData content type (#10898)

2026-05-24 15:39:00 +02:00

platform

feat: implement prettier and fix all issues (#7385)

2026-02-14 16:59:48 +02:00

axios.js

feat: implement prettier and fix all issues (#7385)

2026-02-14 16:59:48 +02:00

utils.js

fix: preserve symbol keys in merged request data (#10812)

2026-05-22 20:15:18 +02:00