Use of axios lower than 1.6.0 results in CVE-2023-45857

logdna / logger-node

A nodejs logger client for LogDNA

MIT License

34 stars 17 forks source link

Use of axios lower than 1.6.0 results in CVE-2023-45857 #84

Closed andyedwardsibm closed 10 months ago

andyedwardsibm commented 10 months ago

This module is using axois@^0.25.0 https://github.com/logdna/logger-node/blob/87463cbff9f6e64db596ce1f450bdd064bb1b22d/package.json#L109

This makes it vulnerable to CVE-2023-45857:

https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
https://github.com/axios/axios/issues/6006

Moving to at least 1.6.0 resolves the CVE

darinspivey commented 10 months ago

Thanks for reporting this, @andyedwardsibm . This showed up in our security scans as well, and the notifications for that system have been made louder so we're aware of issues moving forward.

logdnabot commented 10 months ago

:tada: This issue has been resolved in version 2.6.8 :tada:

The release is available on:

npm package (@latest dist-tag)
GitHub release

Your semantic-release bot :package::rocket: