From 5b2493e3586748e40c5095431525ee24b6667782 Mon Sep 17 00:00:00 2001 From: tonyxrmdavidson Date: Thu, 4 Jun 2026 09:56:29 +0100 Subject: [PATCH] OCPBUGS-85031: CVE-2026-42041 openshift4/ose-console: Axios: Authentication bypass due to prototype pollution of HTTP error handling [openshift-4.13.z] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2026-42041 is a Prototype Pollution vulnerability in axios that allows authentication bypass via prototype pollution of the validateStatus config property. When Object.prototype.validateStatus is polluted with () => true, all HTTP error responses (401, 403, 500) are silently treated as successful, completely bypassing application authentication and error handling. Changes: - Updated axios from 0.21.4 to 0.31.1 in dependencies - Added axios resolution to ^0.31.1 in resolutions - Updated yarn.lock to lock axios@npm:0.31.1 Verification: - yarn lint: ✅ Passed (156 pre-existing warnings, none related to axios) - yarn test: ✅ Passed (1 pre-existing test failure in environment.spec.tsx unrelated to axios) - yarn build: ✅ Passed (all assets generated successfully, exit code 0) The axios 0.31.1 release fixes this vulnerability in the 0.x branch. No breaking changes or axios-related test failures introduced by this update. Related: OCPBUGS-85031 --- frontend/package.json | 5 +++-- frontend/yarn.lock | 51 +++++++++++++++++++++++++++++++++---------- 2 files changed, 42 insertions(+), 14 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index ffb0c6b57df..8cb82a713c5 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -159,7 +159,7 @@ "apollo-client": "^2.6.8", "apollo-link-http": "^1.0.20", "apollo-link-ws": "^1.0.20", - "axios": "^0.21.2", + "axios": "0.31.1", "classnames": "2.x", "d3": "^5.16.0", "file-saver": "1.3.x", @@ -354,7 +354,8 @@ "ua-parser-js": "^0.7.24", "@types/jest": "21.x", "glob-parent": "^5.1.2", - "postcss": "^8.2.13" + "postcss": "^8.2.13", + "axios": "^0.31.1" }, "husky": { "hooks": { diff --git a/frontend/yarn.lock b/frontend/yarn.lock index a4bd832aec6..51e0df8f93a 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -7083,12 +7083,14 @@ __metadata: languageName: node linkType: hard -"axios@npm:^0.21.1, axios@npm:^0.21.2": - version: 0.21.4 - resolution: "axios@npm:0.21.4" +"axios@npm:^0.31.1": + version: 0.31.1 + resolution: "axios@npm:0.31.1" dependencies: - follow-redirects: "npm:^1.14.0" - checksum: 10c0/fbcff55ec68f71f02d3773d467db2fcecdf04e749826c82c2427a232f9eba63242150a05f15af9ef15818352b814257541155de0281f8fb2b7e8a5b79f7f2142 + follow-redirects: "npm:^1.15.4" + form-data: "npm:^4.0.4" + proxy-from-env: "npm:^1.1.0" + checksum: 10c0/0193483f680a893955d203d26951fc427c407415d273bba5a2450e3d0ed7261a403eb5fe86f28a7e66c42d98597cbf8e17e3a6c324d294bd143a6a68bc10f8ef languageName: node linkType: hard @@ -9123,7 +9125,7 @@ __metadata: languageName: node linkType: hard -"combined-stream@npm:^1.0.6, combined-stream@npm:~1.0.5, combined-stream@npm:~1.0.6": +"combined-stream@npm:^1.0.6, combined-stream@npm:^1.0.8, combined-stream@npm:~1.0.5, combined-stream@npm:~1.0.6": version: 1.0.8 resolution: "combined-stream@npm:1.0.8" dependencies: @@ -11926,6 +11928,18 @@ __metadata: languageName: node linkType: hard +"es-set-tostringtag@npm:^2.1.0": + version: 2.1.0 + resolution: "es-set-tostringtag@npm:2.1.0" + dependencies: + es-errors: "npm:^1.3.0" + get-intrinsic: "npm:^1.2.6" + has-tostringtag: "npm:^1.0.2" + hasown: "npm:^2.0.2" + checksum: 10c0/ef2ca9ce49afe3931cb32e35da4dcb6d86ab02592cfc2ce3e49ced199d9d0bb5085fc7e73e06312213765f5efa47cc1df553a6a5154584b21448e9fb8355b1af + languageName: node + linkType: hard + "es-to-primitive@npm:^1.1.1, es-to-primitive@npm:^1.2.0": version: 1.2.0 resolution: "es-to-primitive@npm:1.2.0" @@ -13428,13 +13442,13 @@ __metadata: languageName: node linkType: hard -"follow-redirects@npm:^1.14.0": - version: 1.14.3 - resolution: "follow-redirects@npm:1.14.3" +"follow-redirects@npm:^1.15.4": + version: 1.16.0 + resolution: "follow-redirects@npm:1.16.0" peerDependenciesMeta: debug: optional: true - checksum: 10c0/02c94952aa0ce0b0d4fd45cb7af4cce5df37158a1757f9528f9488c3a2ed89b7d630764ba1e09918b98b5d9affbc3e06abc4fce90fb5608a79b10a9a81926e6c + checksum: 10c0/a1e2900163e6f1b4d1ed5c221b607f41decbab65534c63fe7e287e40a5d552a6496e7d9d7d976fa4ba77b4c51c11e5e9f683f10b43011ea11e442ff128d0e181 languageName: node linkType: hard @@ -13506,6 +13520,19 @@ __metadata: languageName: node linkType: hard +"form-data@npm:^4.0.4": + version: 4.0.5 + resolution: "form-data@npm:4.0.5" + dependencies: + asynckit: "npm:^0.4.0" + combined-stream: "npm:^1.0.8" + es-set-tostringtag: "npm:^2.1.0" + hasown: "npm:^2.0.2" + mime-types: "npm:^2.1.12" + checksum: 10c0/dd6b767ee0bbd6d84039db12a0fa5a2028160ffbfaba1800695713b46ae974a5f6e08b3356c3195137f8530dcd9dfcb5d5ae1eeff53d0db1e5aad863b619ce3b + languageName: node + linkType: hard + "form-data@npm:~2.3.1, form-data@npm:~2.3.2": version: 2.3.3 resolution: "form-data@npm:2.3.3" @@ -13900,7 +13927,7 @@ __metadata: languageName: node linkType: hard -"get-intrinsic@npm:^1.2.4, get-intrinsic@npm:^1.3.0": +"get-intrinsic@npm:^1.2.4, get-intrinsic@npm:^1.2.6, get-intrinsic@npm:^1.3.0": version: 1.3.1 resolution: "get-intrinsic@npm:1.3.1" dependencies: @@ -20528,7 +20555,7 @@ __metadata: apollo-client: "npm:^2.6.8" apollo-link-http: "npm:^1.0.20" apollo-link-ws: "npm:^1.0.20" - axios: "npm:^0.21.2" + axios: "npm:0.31.1" babel-loader: "npm:^8.2.1" browser-env: "npm:3.x" cache-loader: "npm:^4.1.0"