Skip to content

fix: upgrade axios to 1.16.0, 0.32.0 (CVE-2026-44486)#40830

Closed
orbisai0security wants to merge 1 commit into
RocketChat:developfrom
orbisai0security:fix-cve-2026-44486-yarn-lock
Closed

fix: upgrade axios to 1.16.0, 0.32.0 (CVE-2026-44486)#40830
orbisai0security wants to merge 1 commit into
RocketChat:developfrom
orbisai0security:fix-cve-2026-44486-yarn-lock

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Jun 5, 2026
edited by coderabbitai Bot
Loading

Summary

Upgrade axios from 0.31.1 to 1.16.0, 0.32.0 to fix CVE-2026-44486.

Vulnerability

Field Value
ID CVE-2026-44486
Severity HIGH
Scanner trivy
Rule CVE-2026-44486
File yarn.lock
Assessment Likely exploitable

Description: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Evidence

Scanner confirmation: trivy rule CVE-2026-44486 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • package.json
  • yarn.lock

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.

Automated security fix by OrbisAI Security

Summary by CodeRabbit

  • Chores
    • Updated dependencies to improve stability and performance.

@orbisai0security
fix: CVE-2026-44486 security vulnerability
d89e8cb 
Automated dependency upgrade by OrbisAI Security
@dionisio-bot
Copy link
Copy Markdown
Contributor

dionisio-bot Bot commented Jun 5, 2026

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is missing the 'stat: QA assured' label
  • This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Jun 5, 2026

⚠️ No Changeset found

Latest commit: d89e8cb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 72f5c9b9-e101-4bae-a637-e6349abe43d9

📥 Commits

Reviewing files that changed from the base of the PR and between bf9061f and d89e8cb.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: cubic · AI code reviewer
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings 
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.
📚 Learning: 2026-02-24T19:05:56.710Z 
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

  • package.json
📚 Learning: 2026-02-24T19:05:56.710Z 
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Applied to files:

  • package.json
🔇 Additional comments (3)
package.json (3)

160-160: Clarify that the direct axios dependency is needed for the GitHub Action, not just for resolutions.

package.json already pins axios to 1.16.0 via resolutions (axios@npm:^... -> 1.16.0), but the repo also directly declares "axios": "1.16.0" in dependencies, and .github/actions/update-version-durability/index.js imports it (import axios from 'axios';). Since no other package.json declares axios, removing the direct dependency would need a concrete alternative to ensure the action script can still resolve/load axios.

			> Likely an incorrect or invalid review comment.

41-45: Align the PR’s CVE reference with the axios security advisory being patched.

  • The axios upgrade to 1.16.0/0.32.0 (package.json lines 41-45 and 73) matches an axios advisory returned from the GitHub Security Vulnerabilities API that describes a ReDoS via XSRF cookie name injection and lists CVE-2026-44496 (not CVE-2026-44486).
  • Other public sources claim CVE-2026-44486 is a Proxy-Authorization header leak fixed by axios >= 1.16.0.
    Update the PR to reference the correct CVE (or add a citation mapping CVE-2026-44486 to the specific axios versions being pinned), so reviewers can see the patch justification unambiguously.

73-73: Confirm webdav/axios pins the patched axios@0.32.0 for CVE-2026-44486.

  • webdav@npm:^4.11.5 depends on axios: "npm:^0.30.0", and the resolutions entry "webdav/axios": "0.32.0" forces axios@npm:0.32.0 for that dependency (no fork involved).
  • axios’s advisory for CVE-2026-44486 (Proxy-Authorization leak) states the fix is included in the 0.x branch’s 0.32.0, so this resolves the same issue rather than a webdav-specific one.
  • The intended patch is upstream axios documentation via the GHSA advisory: GHSA-p92q-9vqr-4j8v

Walkthrough

This PR updates dependency versions in package.json. Yarn resolutions for axios are pinned to 1.16.0 across multiple semver ranges, webdav/axios is updated to 0.32.0, and axios is added as a direct dependency entry at 1.16.0.

Changes

Axios Version Upgrade

Layer / File(s) Summary
Axios resolutions and direct dependency
package.json		 Yarn resolutions for multiple axios@npm:^ ranges and webdav/axios are updated to newer versions (1.16.0 and 0.32.0 respectively), and axios is added to top-level dependencies pinned to 1.16.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

type: chore

Suggested reviewers

  • julio-rocketchat
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change—upgrading axios versions to fix a security vulnerability (CVE-2026-44486)—which aligns with the changeset modifications to package.json.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • CVE-2026: Request failed with status code 401

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@julio-rocketchat
Copy link
Copy Markdown
Member

julio-rocketchat commented Jun 5, 2026

There's already an open PR to update Axios here: #40827. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

community type: chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @julio-rocketchat