Critical vulnerability on Axios & axios-ntlm (fixed on axios >=1.15.0)

[Pankeking]

Hi, thanks for maintaining SOAP!

Our security scan shows soap depends on vulnerable axios versions via soap > axios and soap > axios-ntlm > axios.
The issue is GHSA-fvcv-3m26-pcqx (critical “Unrestricted Cloud Metadata Exfiltration via Header Injection Chain”), fixed in axios >= 1.15.0.

Could you please bump axios and axios-ntlm to >= 1.15.0 when you get a chance?
thank you very much!

[w666]

Hi @Pankeking

Are you using node-soap as a server or as a client?

If as a client you are not affected by this vulnerability.

But I am planning to release new version with updated axios tomorrow. Away from my computer atm.

[Pankeking]

@w666
We are using node-soap as client, thanks for the heads up 👽 !
Waiting for it :)

[smokhov]

@w666 -- while at it pls also update flatted from 3.4.1 to 3.4.2 and @xmldom/xmldom if possible. They have their own share too: GHSA-wh4c-j3r5-mjhp and GHSA-rf6f-7fwh-wjgh