Security Report - eizen-training-ui

🔴 Vulnerabilities (3)
Severity	CVE ID	Package	Installed	Fixed In	Description
MEDIUM	CVE-2025-62718	axios	1.14.0	1.15.0, 0.31.0	axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
MEDIUM	CVE-2026-40175	axios	1.14.0	1.15.0, 0.31.0	axios: Axios: Remote Code Execution via Prototype Pollution escalation
MEDIUM	GHSA-r4q5-vmmm-2653	follow-redirects	1.15.11	1.16.0	follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
🔑 Secrets (0)
Type	File	Line	Match
✅ No secrets found
⚙️ Misconfigurations (0)
Severity	ID	Check	File	Message
✅ No misconfigurations found
📄 Raw JSON Report (click to expand)
{
  "SchemaVersion": 2,
  "CreatedAt": "2026-04-21T12:35:42.455817577Z",
  "ArtifactName": "/src",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "package-lock.json",
      "Class": "lang-pkgs",
      "Type": "npm",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2025-62718",
          "PkgID": "axios@1.14.0",
          "PkgName": "axios",
          "PkgIdentifier": {
            "PURL": "pkg:npm/axios@1.14.0"
          },
          "InstalledVersion": "1.14.0",
          "FixedVersion": "1.15.0, 0.31.0",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-62718",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory npm",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
          },
          "Title": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization",
          "Description": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-441",
            "CWE-918"
          ],
          "VendorSeverity": {
            "ghsa": 2,
            "nvd": 4,
            "redhat": 3
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "V3Score": 4.8
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
              "V3Score": 9.9
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "V3Score": 7
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2025-62718",
            "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
            "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
            "https://github.com/axios/axios",
            "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
            "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
            "https://github.com/axios/axios/pull/10661",
            "https://github.com/axios/axios/pull/10688",
            "https://github.com/axios/axios/releases/tag/v0.31.0",
            "https://github.com/axios/axios/releases/tag/v1.15.0",
            "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
            "https://nvd.nist.gov/vuln/detail/CVE-2025-62718",
            "https://www.cve.org/CVERecord?id=CVE-2025-62718"
          ],
          "PublishedDate": "2026-04-09T15:16:08.65Z",
          "LastModifiedDate": "2026-04-16T19:16:33.063Z"
        },
        {
          "VulnerabilityID": "CVE-2026-40175",
          "PkgID": "axios@1.14.0",
          "PkgName": "axios",
          "PkgIdentifier": {
            "PURL": "pkg:npm/axios@1.14.0"
          },
          "InstalledVersion": "1.14.0",
          "FixedVersion": "1.15.0, 0.31.0",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-40175",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory npm",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
          },
          "Title": "axios: Axios: Remote Code Execution via Prototype Pollution escalation",
          "Description": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \"Gadget\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-113",
            "CWE-444",
            "CWE-918"
          ],
          "VendorSeverity": {
            "ghsa": 2,
            "redhat": 4
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "V3Score": 4.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "V3Score": 9
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2026-40175",
            "https://github.com/axios/axios",
            "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
            "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1",
            "https://github.com/axios/axios/pull/10660",
            "https://github.com/axios/axios/pull/10660#issuecomment-4224168081",
            "https://github.com/axios/axios/pull/10688",
            "https://github.com/axios/axios/releases/tag/v0.31.0",
            "https://github.com/axios/axios/releases/tag/v1.15.0",
            "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx",
            "https://nvd.nist.gov/vuln/detail/CVE-2026-40175",
            "https://www.cve.org/CVERecord?id=CVE-2026-40175"
          ],
          "PublishedDate": "2026-04-10T20:16:22.8Z",
          "LastModifiedDate": "2026-04-16T19:16:34.517Z"
        },
        {
          "VulnerabilityID": "GHSA-r4q5-vmmm-2653",
          "PkgID": "follow-redirects@1.15.11",
          "PkgName": "follow-redirects",
          "PkgIdentifier": {
            "PURL": "pkg:npm/follow-redirects@1.15.11"
          },
          "InstalledVersion": "1.15.11",
          "FixedVersion": "1.16.0",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://github.com/advisories/GHSA-r4q5-vmmm-2653",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory npm",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
          },
          "Title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
          "Description": "## Summary\n\nWhen an HTTP request follows a cross-domain redirect (301/302/307/308), `follow-redirects` only strips `authorization`, `proxy-authorization`, and `cookie` headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., `X-API-Key`, `X-Auth-Token`, `Api-Key`, `Token`) is forwarded verbatim to the redirect target.\n\nSince `follow-redirects` is the redirect-handling dependency for **axios** (105K+ stars), this vulnerability affects the entire axios ecosystem.\n\n## Affected Code\n\n`index.js`, lines 469-476:\n\n```javascript\nif (redirectUrl.protocol !== currentUrlParts.protocol &&\n   redirectUrl.protocol !== \"https:\" ||\n   redirectUrl.host !== currentHost &&\n   !isSubdomain(redirectUrl.host, currentHost)) {\n  removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);\n}\n```\n\nThe regex only matches `authorization`, `proxy-authorization`, and `cookie`. Custom headers like `X-API-Key` are not matched.\n\n## Attack Scenario\n\n1. App uses axios with custom auth header: `headers: { 'X-API-Key': 'sk-live-secret123' }`\n2. Server returns `302 Location: https://evil.com/steal`\n3. follow-redirects sends `X-API-Key: sk-live-secret123` to `evil.com`\n4. Attacker captures the API key\n\n## Impact\n\nAny custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.\n\n## Suggested Fix\n\nAdd a `sensitiveHeaders` option that users can extend, or strip ALL non-standard headers on cross-domain redirect.\n\n## Disclosure\n\nSource code review, manually verified. Found 2026-03-20.",
          "Severity": "MEDIUM",
          "VendorSeverity": {
            "ghsa": 2
          },
          "CVSS": {
            "ghsa": {}
          },
          "References": [
            "https://github.com/follow-redirects/follow-redirects",
            "https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9",
            "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
          ],
          "PublishedDate": "2026-04-14T01:11:11Z",
          "LastModifiedDate": "2026-04-14T01:11:11Z"
        }
      ]
    }
  ]
}
🛡️ Security Scan Report

0

0

3

0

0

0
