From 68dacea57c50f082f4e54cd1d1ffc0e19cd37106 Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Wed, 18 Feb 2026 17:28:49 +0100 Subject: [PATCH] Fix CVE-2026-25639 by updating axios to patched versions Denial of Service via __proto__ Key in mergeConfig Signed-off-by: Stephane Bouchet --- code/extensions/che-api/package-lock.json | 25 ++++++++++---------- code/extensions/che-api/package.json | 2 +- code/extensions/che-remote/package-lock.json | 25 ++++++++++---------- code/extensions/che-remote/package.json | 2 +- 4 files changed, 28 insertions(+), 26 deletions(-) diff --git a/code/extensions/che-api/package-lock.json b/code/extensions/che-api/package-lock.json index 3ba389b09de..a868cc0ef38 100644 --- a/code/extensions/che-api/package-lock.json +++ b/code/extensions/che-api/package-lock.json @@ -12,7 +12,7 @@ "@devfile/api": "^2.3.0-1738854228", "@eclipse-che/workspace-telemetry-client": "^0.0.1-1685523760", "@kubernetes/client-node": "^1.4.0", - "axios": "^1.13.1", + "axios": "^1.13.5", "fs-extra": "^11.2.0", "inversify": "^6.0.2", "js-yaml": "^4.1.0", @@ -1305,20 +1305,20 @@ "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/axios": { - "version": "1.13.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.1.tgz", - "integrity": "sha512-hU4EGxxt+j7TQijx1oYdAjw4xuIp1wRQSsbMFwSthCWeBQur1eF+qJ5iQ5sN3Tw8YRzQNKb8jszgBdMDVqwJcw==", + "version": "1.13.5", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz", + "integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.4", + "follow-redirects": "^1.15.11", + "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, "node_modules/axios/node_modules/form-data": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", - "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", @@ -2197,15 +2197,16 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", "url": "https://github.com/sponsors/RubenVerborgh" } ], + "license": "MIT", "engines": { "node": ">=4.0" }, diff --git a/code/extensions/che-api/package.json b/code/extensions/che-api/package.json index 9608ce779f8..4b785ed7247 100644 --- a/code/extensions/che-api/package.json +++ b/code/extensions/che-api/package.json @@ -31,7 +31,7 @@ }, "dependencies": { "@devfile/api": "^2.3.0-1738854228", - "axios": "^1.13.1", + "axios": "^1.13.5", "@kubernetes/client-node": "^1.4.0", "fs-extra": "^11.2.0", "inversify": "^6.0.2", diff --git a/code/extensions/che-remote/package-lock.json b/code/extensions/che-remote/package-lock.json index f4dc28cea0d..fbf3996c9ab 100644 --- a/code/extensions/che-remote/package-lock.json +++ b/code/extensions/che-remote/package-lock.json @@ -10,7 +10,7 @@ "license": "EPL-2.0", "dependencies": { "@eclipse-che/che-devworkspace-generator": "7.113.0", - "axios": "^1.13.1", + "axios": "^1.13.5", "https": "^1.0.0", "js-yaml": "^4.0.0", "vscode-nls": "^5.0.0" @@ -1517,20 +1517,20 @@ "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/axios": { - "version": "1.13.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.1.tgz", - "integrity": "sha512-hU4EGxxt+j7TQijx1oYdAjw4xuIp1wRQSsbMFwSthCWeBQur1eF+qJ5iQ5sN3Tw8YRzQNKb8jszgBdMDVqwJcw==", + "version": "1.13.5", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz", + "integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.4", + "follow-redirects": "^1.15.11", + "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, "node_modules/axios/node_modules/form-data": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", - "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", @@ -2492,15 +2492,16 @@ "dev": true }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", "url": "https://github.com/sponsors/RubenVerborgh" } ], + "license": "MIT", "engines": { "node": ">=4.0" }, diff --git a/code/extensions/che-remote/package.json b/code/extensions/che-remote/package.json index 02331080e59..fbd5eebc949 100644 --- a/code/extensions/che-remote/package.json +++ b/code/extensions/che-remote/package.json @@ -32,7 +32,7 @@ }, "dependencies": { "vscode-nls": "^5.0.0", - "axios": "^1.13.1", + "axios": "^1.13.5", "@eclipse-che/che-devworkspace-generator": "7.113.0", "https": "^1.0.0", "js-yaml": "^4.0.0"