Commit cb9cb64
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency axios to v1.11.0 [security] (#1321)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [axios](https://axios-http.com)
([source](https://redirect.github.com/axios/axios)) | [`1.10.0` ->
`1.11.0`](https://renovatebot.com/diffs/npm/axios/1.10.0/1.11.0) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[GHSA-rm8p-cx58-hcvx](https://redirect.github.com/axios/axios/security/advisories/GHSA-rm8p-cx58-hcvx)
### Summary
A critical vulnerability exists in the form-data package used by
`[email protected]`. The issue allows an attacker to predict multipart
boundary values generated using `Math.random()`, opening the door to
HTTP parameter pollution or injection attacks.
This was submitted in [issue
#​6969](https://redirect.github.com/axios/axios/issues/6969) and
addressed in [pull request
#​6970](https://redirect.github.com/axios/axios/pull/6970).
### Details
The vulnerable package `[email protected]` is used by `[email protected]` as a
transitive dependency. It uses non-secure, deterministic randomness
(`Math.random()`) to generate multipart boundary strings.
This flaw is tracked under [Snyk Advisory
SNYK-JS-FORMDATA-10841150](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150)
and
[CVE-2025-7783](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150).
Affected `form-data` versions:
- <2.5.4
- >=3.0.0 <3.0.4
- >=4.0.0 <4.0.4
Since `[email protected]` pulls in `[email protected]`, it is exposed to this
issue.
### PoC
1. Install Axios: - `npm install [email protected]`
2.Run `snyk test`:
```
Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]
in [email protected] via [email protected] > [email protected]
```
3. Trigger a multipart/form-data request. Observe the boundary header
uses predictable random values, which could be exploited in a targeted
environment.
### Impact
- **Vulnerability Type**: Predictable Value / HTTP Parameter Pollution
- **Risk**: Critical (CVSS 9.4)
- **Impacted Users**: Any application using [email protected] to submit
multipart form-data
This could potentially allow attackers to:
- Interfere with multipart request parsing
- Inject unintended parameters
- Exploit backend deserialization logic depending on content boundaries
### Related Links
[GitHub Issue
#​6969](https://redirect.github.com/axios/axios/issues/6969)
[Pull Request #xxxx](https://redirect.github.com/axios/axios/pull/xxxx)
(replace with actual link)
[Snyk Advisory](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150)
[form-data on npm](https://www.npmjs.com/package/form-data)
---
### Release Notes
<details>
<summary>axios/axios (axios)</summary>
###
[`v1.11.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#1110-2025-07-22)
[Compare
Source](https://redirect.github.com/axios/axios/compare/v1.10.0...v1.11.0)
##### Bug Fixes
- form-data npm pakcage
([#​6970](https://redirect.github.com/axios/axios/issues/6970))
([e72c193](https://redirect.github.com/axios/axios/commit/e72c193722530db538b19e5ddaaa4544d226b253))
- prevent RangeError when using large Buffers
([#​6961](https://redirect.github.com/axios/axios/issues/6961))
([a2214ca](https://redirect.github.com/axios/axios/commit/a2214ca1bc60540baf2c80573cea3a0ff91ba9d1))
- **types:** resolve type discrepancies between ESM and CJS TypeScript
declaration files
([#​6956](https://redirect.github.com/axios/axios/issues/6956))
([8517aa1](https://redirect.github.com/axios/axios/commit/8517aa16f8d082fc1d5309c642220fa736159110))
##### Contributors to this release
- <img
src="https://avatars.githubusercontent.com/u/12534341?v=4&s=18"
alt="avatar" width="18"/> [izzy
goldman](https://redirect.github.com/izzygld "+186/-93 (#​6970 )")
- <img
src="https://avatars.githubusercontent.com/u/142807367?v=4&s=18"
alt="avatar" width="18"/> [Manish
Sahani](https://redirect.github.com/manishsahanidev "+70/-0
(#​6961 )")
- <img
src="https://avatars.githubusercontent.com/u/189505037?v=4&s=18"
alt="avatar" width="18"/> [Noritaka
Kobayashi](https://redirect.github.com/noritaka1166 "+12/-10
(#​6938 #​6939 )")
- <img
src="https://avatars.githubusercontent.com/u/392612?v=4&s=18"
alt="avatar" width="18"/> [James
Nail](https://redirect.github.com/jrnail23 "+13/-2 (#​6956 )")
- <img
src="https://avatars.githubusercontent.com/u/163745239?v=4&s=18"
alt="avatar" width="18"/>
[Tejaswi1305](https://redirect.github.com/Tejaswi1305 "+1/-1
(#​6894 )")
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/apify/crawlee-python).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40MC4wIiwidXBkYXRlZEluVmVyIjoiNDEuNDAuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 9ee7ecd commit cb9cb64
1 file changed
+5
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5683 | 5683 | | |
5684 | 5684 | | |
5685 | 5685 | | |
5686 | | - | |
5687 | | - | |
| 5686 | + | |
| 5687 | + | |
5688 | 5688 | | |
5689 | 5689 | | |
5690 | | - | |
| 5690 | + | |
5691 | 5691 | | |
5692 | | - | |
| 5692 | + | |
5693 | 5693 | | |
5694 | 5694 | | |
5695 | 5695 | | |
| |||
9113 | 9113 | | |
9114 | 9114 | | |
9115 | 9115 | | |
9116 | | - | |
| 9116 | + | |
9117 | 9117 | | |
9118 | 9118 | | |
9119 | 9119 | | |
| |||
0 commit comments