Vulnerability
Severity: HIGH (all 4 advisories)
Package: axios@1.13.2
Affected component: core
Dependency type: direct (core/package.json → "axios": "^1.13.2")
Note: Issues #193 and #823 together cover 20 axios advisories in the affected range (1.0.0–1.15.2). This issue tracks 4 additional HIGH-severity advisories discovered in the same range that are not covered by either prior issue.
Advisories (all affect axios 1.0.0 – 1.15.2)
| Advisory |
Severity |
Description |
| GHSA-hfxv-24rg-xrqf |
HIGH |
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection — crafted cookie names trigger catastrophic backtracking in the cookie-parsing regex |
| GHSA-777c-7fjr-54vf |
HIGH |
Allocation of Resources Without Limits or Throttling in Axios — unbounded resource consumption in certain request/response handling paths |
| GHSA-p92q-9vqr-4j8v |
HIGH |
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter — Proxy-Authorization header forwarded to the redirect target instead of being stripped on cross-scheme redirects |
| GHSA-j5f8-grm9-p9fc |
HIGH |
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection — proxy credentials forwarded when axios switches from proxied to direct routing mid-redirect |
Fix
Recommended version: axios ≥1.15.2
Fix command:
Or pin directly in core/package.json: "axios": "^1.15.2"
(Same fix as #193 and #823 — all axios advisories in this range are resolved by upgrading to ≥1.15.2.)
Risk Assessment
This is a direct runtime dependency. axios is used throughout pmxt-core to make HTTP requests to prediction market APIs (Polymarket, Kalshi, Limitless, etc.).
- GHSA-hfxv-24rg-xrqf (ReDoS): Exploitable if attacker-controlled cookie names reach axios's cookie-parsing path — relevant if any API response sets cookies with crafted names.
- GHSA-777c-7fjr-54vf (Resource Exhaustion): Unbounded resource consumption reachable via crafted API responses; could cause the
pmxt-core server process to become unresponsive under load.
- GHSA-p92q-9vqr-4j8v and GHSA-j5f8-grm9-p9fc (Proxy-Auth Leaks): If
pmxt-core is deployed behind an authenticated proxy (common in cloud/enterprise environments) and any prediction market API endpoint issues a cross-scheme or proxy-re-evaluated redirect, Proxy-Authorization credentials are forwarded to the final destination — leaking internal proxy credentials to external third parties.
Found by automated dependency vulnerability scan
Vulnerability
Severity: HIGH (all 4 advisories)
Package: axios@1.13.2
Affected component: core
Dependency type: direct (
core/package.json→"axios": "^1.13.2")Advisories (all affect axios 1.0.0 – 1.15.2)
Proxy-Authorizationheader forwarded to the redirect target instead of being stripped on cross-scheme redirectsFix
Recommended version: axios ≥1.15.2
Fix command:
Or pin directly in
core/package.json:"axios": "^1.15.2"(Same fix as #193 and #823 — all axios advisories in this range are resolved by upgrading to ≥1.15.2.)
Risk Assessment
This is a direct runtime dependency.
axiosis used throughoutpmxt-coreto make HTTP requests to prediction market APIs (Polymarket, Kalshi, Limitless, etc.).pmxt-coreserver process to become unresponsive under load.pmxt-coreis deployed behind an authenticated proxy (common in cloud/enterprise environments) and any prediction market API endpoint issues a cross-scheme or proxy-re-evaluated redirect,Proxy-Authorizationcredentials are forwarded to the final destination — leaking internal proxy credentials to external third parties.Found by automated dependency vulnerability scan