The scheduled security audit failed. Please review the details below:
NPM Audit Vulnerabilities
- @opentelemetry/auto-instrumentations-node (high): via @opentelemetry/instrumentation-amqplib, @opentelemetry/instrumentation-aws-sdk, @opentelemetry/instrumentation-connect, @opentelemetry/instrumentation-express, @opentelemetry/instrumentation-fastify, @opentelemetry/instrumentation-fs, @opentelemetry/instrumentation-hapi, @opentelemetry/instrumentation-http, @opentelemetry/instrumentation-koa, @opentelemetry/instrumentation-mongoose, @opentelemetry/instrumentation-mysql2, @opentelemetry/instrumentation-pg, @opentelemetry/instrumentation-pino, @opentelemetry/instrumentation-restify, @opentelemetry/instrumentation-undici, @opentelemetry/resource-detector-alibaba-cloud, @opentelemetry/resource-detector-aws, @opentelemetry/resource-detector-azure, @opentelemetry/resource-detector-container, @opentelemetry/resource-detector-gcp, @opentelemetry/resources, @opentelemetry/sdk-node, Prometheus exporter process crash via malformed HTTP request
- @opentelemetry/exporter-prometheus (high): via @opentelemetry/core, @opentelemetry/resources, @opentelemetry/sdk-metrics, Prometheus exporter process crash via malformed HTTP request
- @opentelemetry/sdk-node (high): via @opentelemetry/core, @opentelemetry/exporter-logs-otlp-grpc, @opentelemetry/exporter-logs-otlp-http, @opentelemetry/exporter-logs-otlp-proto, @opentelemetry/exporter-metrics-otlp-grpc, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-metrics-otlp-proto, @opentelemetry/exporter-prometheus, @opentelemetry/exporter-trace-otlp-grpc, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/exporter-trace-otlp-proto, @opentelemetry/exporter-zipkin, @opentelemetry/resources, @opentelemetry/sdk-logs, @opentelemetry/sdk-metrics, @opentelemetry/sdk-trace-base, @opentelemetry/sdk-trace-node, Prometheus exporter process crash via malformed HTTP request
- @stellar/stellar-sdk (high): via axios
- axios (high): via Axios: Authentication Bypass via Prototype Pollution Gadget in
validateStatus Merge Strategy, Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0, Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver, Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams, Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream, Axios: no_proxy bypass via IP alias allows SSRF, Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0, Axios: HTTP adapter streamed responses bypass maxContentLength, Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking, Axios: Header Injection via Prototype Pollution, Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion, Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking, axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718), Axios: unbounded recursion in toFormData causes DoS via deeply nested request data, Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection, Allocation of Resources Without Limits or Throttling in Axios, Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter, Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection, axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge, axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy, axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
- form-data (high): via form-data: CRLF injection in form-data via unescaped multipart field names and filenames
- picomatch (high): via Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching, Picomatch has a ReDoS vulnerability via extglob quantifiers
The scheduled security audit failed. Please review the details below:
NPM Audit Vulnerabilities
validateStatusMerge Strategy, Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0, Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget inparseReviver, Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams, Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream, Axios: no_proxy bypass via IP alias allows SSRF, Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0, Axios: HTTP adapter streamed responses bypass maxContentLength, Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking, Axios: Header Injection via Prototype Pollution, Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget inwithXSRFTokenBoolean Coercion, Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking, axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718), Axios: unbounded recursion in toFormData causes DoS via deeply nested request data, Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection, Allocation of Resources Without Limits or Throttling in Axios, Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter, Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection, axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge, axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget inconfig.proxy, axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions