π Bug: High Severity Vulnerabilities in axios Transitive DependencyΒ #641
Description
this version of @aptos-labs/aptos-client uses axios version which has two vulnerability
I see that v2 of aptos-client fixes this
aptos-wallet-adapter/package.json
Lines 45 to 47 in dbd678f
1. SSRF and Credential Leakage
This vulnerability allows for Server-Side Request Forgery (SSRF) and potential credential leakage.
-
Severity:
High -
Package:
axios -
Vulnerable Versions:
>=1.0.0 <1.8.2 -
Patched Versions:
>=1.8.2 -
Dependency Path:
@aptos-labs/wallet-adapter-core > @aptos-connect/wallet-adapter-plugin > @aptos-connect/wallet-api > aptos > @aptos-labs/aptos-client > axios -
More Info: [GHSA-jr5f-v2jv-69x6](GHSA-jr5f-v2jv-69x6)
2. Denial of Service (DoS)
This vulnerability makes the application susceptible to a Denial of Service attack due to a lack of data size checks.
- Severity:
High - Package:
axios - Vulnerable Versions:
<1.12.0 - Patched Versions:
>=1.12.0 - Dependency Path:
@aptos-labs/wallet-adapter-core > @aptos-connect/wallet-adapter-plugin > @aptos-connect/wallet-api > aptos > @aptos-labs/aptos-client > axios - More Info: [GHSA-4hjh-wcwx-xvwj](GHSA-4hjh-wcwx-xvwj)