mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
Nezuko Agent
140a17944a
* fix: guard socketPath with own() to prevent prototype pollution SSRF
CVE-2026-42264 fix introduced the own() helper to guard config reads,
but socketPath and allowedSocketPaths were missed. An attacker who can
pollute Object.prototype.socketPath (via another dependency) can
redirect all axios requests to a Unix socket (e.g. Docker daemon),
enabling SSRF and container escape.
Fix: use own('socketPath') and own('allowedSocketPaths') instead of
direct config property access.
Ref: GHSA-72mg-mc2j-cwf6
Fixes: CVE-2026-42264 (complete)
* docs: add socketPath security release note
---------
Co-authored-by: Jay <jasonsaayman@gmail.com>
axios // adapters
The modules under adapters/ are modules that handle dispatching a request and settling a returned Promise once a response is received.
Example
var settle = require('../core/settle');
module.exports = function myAdapter(config) {
// At this point:
// - config has been merged with defaults
// - request transformers have already run
// - request interceptors have already run
// Make the request using config provided
// Upon response settle the Promise
return new Promise(function (resolve, reject) {
var response = {
data: responseData,
status: request.status,
statusText: request.statusText,
headers: responseHeaders,
config: config,
request: request,
};
settle(resolve, reject, response);
// From here:
// - response transformers will run
// - response interceptors will run
});
};