erezrokah / aws-testing-library / 24335672015
100%
master: 100%

LAST BUILD BRANCH: release-please--branches--main--components--aws-testing-library
DEFAULT BRANCH: master
Ran
Jobs 6
Files 34
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 99.726%. Remained the same
24335672015

push

github

web-flow 
chore(deps): update dependency axios to v1.15.0 [security] (#954)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [axios](https://axios-http.com)
([source](https://redirect.github.com/axios/axios)) | [`1.13.5` →
`1.15.0`](https://renovatebot.com/diffs/npm/axios/1.13.5/1.15.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/axios/1.15.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/axios/1.13.5/1.15.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-62718](https://redirect.github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5)

Axios does not correctly handle hostname normalization when checking
`NO_PROXY` rules.
Requests to loopback addresses like `localhost.` (with a trailing dot)
or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the
configured proxy.

This goes against what developers expect and lets attackers force
requests through a proxy, even if `NO_PROXY` is set up to protect
loopback or internal services.

According to [RFC 1034
§3.1](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1) and
[RFC 3986
§3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2), a
hostname can have a trailing dot to show it is a fully qualified domain
name (FQDN). At the DNS level, `localhost.` is the same as `localhost`.
However, Axios does a literal string comparison instead of normalizing
hostnames before checking `NO_PROXY`. This causes requests like
`http://localhost.:8080/` and `http://[::1]:8080/` to be incorrectly
proxied.

This issue leads to the possibility of proxy bypass and SSRF
vulnerabilities allowing attackers to reach sensitive loopback or
internal services despite the configured protections.

---

**PoC**

```js
import http from "http";
import axios from "axios";

const proxyPort = 5300;

http.cre... (continued)

122 of 124 branches covered (98.39%)

Branch coverage included in aggregate %.

606 of 606 relevant lines covered (100.0%)

27.89 hits per line

Jobs
ID Job ID Ran Files Coverage
1 run-ubuntu-latest-node-16.10.0 - 24335672015.1 34
99.73
 GitHub Action Run
2 run-macos-latest-node-lts/* - 24335672015.2 34
99.73
 GitHub Action Run
3 run-ubuntu-latest-node-lts/* - 24335672015.3 34
99.73
 GitHub Action Run
4 run-windows-latest-node-lts/* - 24335672015.4 34
99.73
 GitHub Action Run
5 run-macos-latest-node-16.10.0 - 24335672015.5 34
99.73
 GitHub Action Run
6 run-windows-latest-node-16.10.0 - 24335672015.6 34
99.73
 GitHub Action Run
Source Files on build 24335672015