mirror of
https://github.com/tenrok/axios.git
synced 2026-06-20 20:00:40 +03:00
Nezuko Agent
140a17944a
* fix: guard socketPath with own() to prevent prototype pollution SSRF
CVE-2026-42264 fix introduced the own() helper to guard config reads,
but socketPath and allowedSocketPaths were missed. An attacker who can
pollute Object.prototype.socketPath (via another dependency) can
redirect all axios requests to a Unix socket (e.g. Docker daemon),
enabling SSRF and container escape.
Fix: use own('socketPath') and own('allowedSocketPaths') instead of
direct config property access.
Ref: GHSA-72mg-mc2j-cwf6
Fixes: CVE-2026-42264 (complete)
* docs: add socketPath security release note
---------
Co-authored-by: Jay <jasonsaayman@gmail.com>
1.3 KiB
1.3 KiB
Pre-Release Changelog
Unreleased
New Features
- HTTP Adapter - Zstandard: Added automatic zstd decompression on Node.js versions that support it.
zstdis only advertised in the defaultAccept-Encodingheader whentransitional.advertiseZstdAcceptEncoding: trueis set. (#6792)
Bug Fixes
- AxiosHeaders: Silently skip empty response header names emitted by some React Native Android responses instead of throwing. (#6959, #10875)
- HTTP Adapter - Socket Path: Ignore inherited
socketPathandallowedSocketPathsconfig values when building Node.js requests, preventing prototype-pollution SSRF via Unix sockets. (#10901) - React Native FormData: Clear the default
Content-Typeheader for React NativeFormDatarequests so Android can build multipart bodies with the correct boundary. (#10898) - Request Data: Preserve enumerable symbol keys when merging plain request data before
transformRequest. (#6392)
Release Documentation TODO
- Update
README.mdrequest config docs fortransitional.advertiseZstdAcceptEncodingand zstd decompression support. - Update
docs/pages/advanced/request-config.mdfortransitional.advertiseZstdAcceptEncodingand zstd decompression support. - Update decompression-bomb security guidance in
README.mdanddocs/pages/misc/security.mdto mention zstd.