SAP UI5 Toolchain Exposed to Three High-Severity Axios Vulnerabilities via Dependency Chain

Three high-severity security vulnerabilities embedded in the Axios HTTP client library have been traced through the dependency chain of the SAP UI5 development toolchain, specifically affecting `@sap-ux/project-access`. The most critical flaw—CVE-2025-62718—bypasses NO_PROXY protections via RFC 1122 loopback subnet manipulation, allowing attackers to circumvent intended proxy exclusions. Two additional high-severity vulnerabilities enable prototype pollution attacks capable of response tampering, data exfiltration, and request hijacking.

The vulnerable path runs through `packages/context > @sap-ux/project-access > @sap-ux/ui5-config > axios`, exposing any SAP UI5 tooling built on these packages. All three vulnerabilities affect Axios versions prior to 1.15.1 and were addressed by bumping `@sap-ux/project-access` from version 1.36.1 to 1.36.4. The issues were catalogued under GitHub advisories GHSA-pmwg-cvhr-8vh7, GHSA-pf86-5x62-jrwf, and GHSA-6chq-wfr3-2hj9.

Organizations leveraging SAP Fiori development tools or custom UI5 configurations should audit their dependency trees for these specific package versions. While the patch has been released, the transitive dependency structure means affected deployments may not automatically receive the fix unless explicit update procedures are executed. Security teams should verify that downstream consumers of `@sap-ux/ui5-config` have also resolved the Axios exposure in their own dependency graphs.