[Aikido] Fix 17 critical issues in form-data, @actions/github, @slack/web-api and 4 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerability in Axios via prototype pollution gadget chain, DoS in Axios mergeConfig, HTTP Parameter Pollution in form-data, and prototype pollution in lodash. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (2/7 analyzed)

⚠️ Breaking changes analysis not available for: form-data, @actions/github, @slack/web-api, @babel/traverse, cross-spawn

⚠️ ## axios (0.19.2 => 0.31.0)

Breaking Change: Removed functionality that removed the Content-Type request header when passing FormData (v0.27.0)

• Where your code is affected: dist/index.js (WebClient class in @slack/web-api package, lines around axios initialization and serializeApiCallOptions method)

• Impact: The @slack/web-api package (v5.10.0) bundled in dist/index.js explicitly deletes the Content-Type header for POST requests (delete this.axios.defaults.headers.post['Content-Type']) and relies on axios to automatically set the correct Content-Type header when FormData is passed. In axios 0.27.0+, this automatic removal behavior was changed. The code creates FormData instances using form-data package and copies headers from form.getHeaders() into the request headers. However, since the default POST Content-Type is deleted, there may be conflicts or missing headers if axios no longer automatically handles FormData Content-Type removal.

• Remediation: Verify that the Content-Type header handling in the serializeApiCallOptions method properly sets multipart/form-data headers from form.getHeaders() before axios processes the request, or update the axios configuration to ensure Content-Type is properly managed for FormData requests.

Breaking Change: Refactored error handling implementing AxiosError as a constructor (v0.27.0)

• Where your code is affected: dist/index.js (error handling in WebClient's makeRequest method and general error handling throughout the bundled code)

• Impact: The code checks error.isAxiosError property in the bundled axios code. The refactoring of AxiosError as a constructor in v0.27.0 may change how errors are instantiated and their properties are set, potentially affecting error detection and handling logic.

• Remediation: Review error handling code to ensure it properly handles the new AxiosError constructor pattern and verify that error.isAxiosError checks still work correctly with the refactored error handling.

form-data (2.5.1 => 2.5.4)

Breaking Change: setBoundary() method now validates boundary type (v2.5.4)

• Where your code is affected: Not directly affected - no calls to setBoundary() found in the codebase

• Impact: The code uses form.getHeaders() and form.append() methods but does not call setBoundary() directly, so this validation change does not affect the codebase.

• Remediation: No action required for this specific change.

All breaking changes by upgrading axios from version 0.19.2 to 0.31.0 (CHANGELOG)

Version	Description
0.23.0	Distinguish request and response data types
0.23.0	Change never type to unknown
0.23.0	Fixed TransitionalOptions typings
0.24.0	Revert: change type of AxiosResponse to any
0.25.0	Fixing maxBodyLength enforcement
0.25.0	Don't rely on strict mode behaviour for arguments
0.25.0	Adding error handling when missing url
0.25.0	Update isAbsoluteURL.js removing escaping of non-special characters
0.25.0	Use native Array.isArray() in utils.js
0.25.0	Adding error handling inside stream end callback
0.27.0	New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData
0.27.0	Removed functionality that removed the the Content-Type request header when passing FormData
0.27.0	Refactored error handling implementing AxiosError as a constructor
0.27.0	Separated responsibility for FormData instantiation between transformRequest and toFormData
0.27.0	Improved and fixed multiple issues with FormData support

✅ 17 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-40175	HIGH	[axios] A prototype pollution vulnerability in Axios can be exploited through gadget chains to escalate into Remote Code Execution (RCE) or bypass AWS IMDSv2 for cloud compromise. This affects any third-party dependencies using the library.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2023-45857	MEDIUM	[axios] An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
AIKIDO-2025-10185	MEDIUM	[axios] A server-side request forgery (SSRF) vulnerability exists due to allowAbsoluteUrls not being set to false by default in buildFullPath(), allowing attackers to bypass URL restrictions and process unintended URLs.
CVE-2020-28168	MEDIUM	[axios] NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVE-2025-27152	MEDIUM	[axios] Axios sends requests to absolute URLs even when baseURL is configured, bypassing intended routing and potentially causing Server-Side Request Forgery (SSRF) and credential leakage in both server and client environments.
CVE-2021-3749	LOW	[axios] is vulnerable to Inefficient Regular Expression Complexity
AIKIDO-2023-10001	LOW	[axios] Prototype pollution vulnerability in the formDataToJSON function allows attackers to manipulate object properties. Additionally, a ReDoS vulnerability in combineURLs can cause denial of service through malicious input.
CVE-2025-7783	🚨 CRITICAL	[form-data] Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
CVE-2020-8203	HIGH	[lodash.set] Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
GHSA-r4q5-vmmm-2653	MEDIUM	[follow-redirects] Custom authentication headers (e.g., X-API-Key, X-Auth-Token) are leaked to redirect targets on cross-domain redirects because only standard headers are stripped. This enables attackers to capture sensitive credentials through malicious redirects.
CVE-2024-28849	MEDIUM	[follow-redirects] Authorization credentials in the proxy-authentication header are leaked during cross-domain redirects because the header is not cleared like the authorization header. This allows attackers to obtain sensitive proxy credentials.
CVE-2023-26159	MEDIUM	[follow-redirects] Improper URL parsing allows attackers to manipulate hostname interpretation, enabling traffic redirection to malicious sites for phishing, information disclosure, or other attacks.
CVE-2022-0536	MEDIUM	[follow-redirects] Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
AIKIDO-2025-10745	MEDIUM	[@babel/traverse] A vulnerability allows remote code execution during compilation when processing malicious input with certain plugins that use internal evaluation methods. This affects plugins like @babel/plugin-transform-runtime and @babel/preset-env with useBuiltIns option.
CVE-2024-21538	LOW	[cross-spawn] A Regular Expression Denial of Service (ReDoS) vulnerability exists due to improper input sanitization, allowing attackers to craft malicious strings that cause excessive CPU usage and program crashes. This vulnerability enables denial of service attacks through crafted input.
CVE-2022-25883	LOW	[semver] Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

[aikido-pr-checks]

CVE-2025-25288 in @octokit/plugin-paginate-rest - low severity
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.

Details

Remediation Aikido suggests bumping this package to version 9.2.2 to resolve this issue

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #5