Aikido Security Alert: Axios Upgrade Fixes Critical RCE, SSRF, and DoS Vulnerabilities

A security fix within the Aikido platform mandates an urgent upgrade of the Axios library from version 1.10.0 to 1.15.0 to patch multiple critical vulnerabilities. The update resolves five documented CVEs, including two rated as critical, which expose systems to severe risks like remote code execution (RCE), server-side request forgery (SSRF) via proxy bypass, denial-of-service (DoS) attacks, and HTTP/2 crashes.

The most severe issues are CVE-2026-40175 and CVE-2025-62718. The first is a prototype pollution vulnerability in a third-party dependency that can be weaponized into full RCE or cloud compromise, potentially allowing attackers to bypass critical security controls like AWS IMDSv2. The second critical flaw involves Axios improperly normalizing hostnames when checking NO_PROXY rules, creating a pathway for SSRF attacks. These vulnerabilities represent a direct threat to application integrity and data security.

This upgrade is a non-negotiable security patch for any project using the affected Axios versions. The presence of such high-severity CVEs in a widely-used HTTP client library underscores the persistent risk in software supply chains. Failure to apply this fix leaves applications vulnerable to takeover, data exfiltration, and service disruption, necessitating immediate developer action to mitigate the exposed attack surface.