Skip to content

Commit 713a292

Browse files
claudeclaude
committed
fix: upgrade axios to >=1.12.0 to address CVE-2025-58754 DoS vulnerability
Adds a pnpm workspace override to force axios to >=1.12.0, eliminating the vulnerable axios@1.10.0 brought in transitively via mintlify -> @mintlify/scraping -> @mintlify/common -> @mintlify/models. The vulnerability (GHSA-4hjh-wcwx-xvwj) allowed an attacker to supply a large data: URI causing unbounded memory allocation and process crash (DoS), bypassing maxContentLength/maxBodyLength guards. https://claude.ai/code/session_0141PZwEdnJ66b38QFWNtgrY
1 parent af5a52a commit 713a292

2 files changed

Lines changed: 6 additions & 13 deletions

File tree

pnpm-lock.yaml

Lines changed: 3 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ overrides:
22
# Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j: path-to-regexp ReDoS vulnerability
33
# Transitive via mintlify -> @mintlify/previewing -> express@4.18.2
44
"path-to-regexp@<0.1.10": "0.1.10"
5+
# Fix CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj: axios DoS vulnerability via data: URI
6+
# Transitive via mintlify -> @mintlify/scraping -> @mintlify/common -> @mintlify/models
7+
"axios@<1.12.0": ">=1.12.0"
58

69
packages:
710
- apps/agentstack-ui

0 commit comments

Comments
 (0)