openapi-generator-cli icon indicating copy to clipboard operation
openapi-generator-cli copied to clipboard

Published 20 hours ago verified publisher icon OpenAPITools

[BUG] Axios package <1.6.0 vulnerability

Open apptio-mrejdych opened this issue 1 year ago • 3 comments

Few days ago CSRF vulnerability was found in all axios versions below 1.6.0. Yesterday axios team pushed 1.6.0 with fix for that. Are you going to somehow replace axios or bump to the latest version to resolve that issue?

https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 https://www.cve.org/CVERecord?id=CVE-2023-45857 https://cwe.mitre.org/data/definitions/352.html https://github.com/axios/axios/issues/6006

apptio-mrejdych avatar Oct 27 '23 08:10 apptio-mrejdych

It would be great to get a fix for this issue, e.g., an update the reference to Axios to version 1.6.0 or newer.

towa99 avatar Nov 09 '23 15:11 towa99

The upgrade to axios v1.6.0 (the first version with the fixed vulnerability) was incorporated in nestjs/axios in version 3.0.1: https://github.com/nestjs/axios/releases/tag/3.0.1 through PR https://github.com/nestjs/axios/commit/4cdd3f0313f66bef75c14685091dd34335fe53e6 I am not sure how much work it would be for openapi-generator-cli to jump from nestjs/axios 0.1.0 to 3.0.1

wvanderdeijl avatar Nov 14 '23 13:11 wvanderdeijl

This was fixed in #719. (Version 2.8.0)

GeorgEchterling avatar Feb 08 '24 13:02 GeorgEchterling