Aikido Security Patch Fixes Critical Axios RCE, Prototype Pollution, and SSRF Vulnerabilities

A critical security update for the Aikido platform addresses multiple severe vulnerabilities, including a remote code execution (RCE) flaw via prototype pollution in the widely-used Axios library. The patch resolves eight CVEs, two of which are rated critical, alongside risks of server-side request forgery (SSRF) and proxy bypass exploits. This upgrade mandates immediate attention for any deployment using the affected versions of Axios, Hono, and the Hono node server.

The core fixes target critical security holes in Axios and the Hono web framework. The update from Hono v4.12.10 to v4.12.12 introduces breaking changes, specifically hardening cookie handling. The `setCookie()`, `serialize()`, and `serializeSigned()` functions now validate cookie names, potentially rejecting previously accepted invalid inputs. Concurrently, `getCookie()` has been modified to fix a non-breaking space prefix bypass, which may affect access to cookies that exploited this prior lax parsing.

This patch cycle underscores the persistent and high-risk nature of supply chain vulnerabilities in foundational web libraries. While the immediate threat is mitigated by the upgrade, the required breaking changes signal underlying security debt in common utilities. Organizations must assess their integration points, as the cookie validation changes could disrupt existing authentication or session management flows that relied on the now-invalidated behavior.