Vulnerability report for kentico/kontent-management-sdk-js

Vulnerabilities	1 via 1 paths
Dependencies	25
Source	GitHub
Commit	d900cbf6

Vulnerabilities

1 via 1 paths

Dependencies

Source

GitHub

Commit

d900cbf6

medium severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: axios
Introduced through: @kontent-ai/core-sdk@10.12.0

Detailed paths

Introduced through: @kontent-ai/management-sdk@kentico/kontent-management-sdk-js#d900cbf6e158aa09b9442ac03aca9c753a87de51 › @kontent-ai/core-sdk@10.12.0 › axios@1.11.0

Remediation: Upgrade to @kontent-ai/core-sdk@11.0.0.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the data: URL handler. An attacker can trigger a denial of service by crafting a data: URL with an excessive payload, causing allocation of memory for content decoding before verifying content size limits.

Remediation

Upgrade axios to version 1.12.0 or higher.

References

GitHub Commit

Allocation of Resources Without Limits or Throttling vulnerability report