logo

Database

Non-upgradable dependencies In solspace/craft-freeform

Description

solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Summary

The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios

Details

We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn't see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I'm assuming those are where the issue lies.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-rwr8-xrpw-9qf5

References

1. https://github.com/solspace/craft-freeform/security/advisories/GHSA-rwr8-xrpw-9qf5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.