The Wire · Showcase
AXIOS SHIPS SECURITY HARDENING FOR NODE HTTP ADAPTER
By RepoJournal · Filed · About Vue.js
Axios 1.15.2 patches prototype pollution vulnerabilities and closes an SSRF vector that could let attackers escape sandbox constraints via Unix domain sockets.
The update [1] delivers critical supply-chain hardening across the board, but the two security wins matter most: prototype-pollution defenses in the Node HTTP adapter close a class of attack that's proven dangerous in production, and the new opt-in `allowedSocketPaths` allowlist blocks SSRF exploitation through Unix domain sockets—a blind spot in most HTTP client configurations. The release also fixes a keep-alive socket memory leak that was quietly eating memory in long-running processes. This is the upgrade you've been waiting for if you're shipping axios in any Node environment touching untrusted input.
Action items
- → Upgrade axios to 1.15.2 in your Node dependencies before next deploy vuejs/v2.cn.vuejs.org [immediate]
- → Audit axios usage for Unix domain socket endpoints and evaluate `allowedSocketPaths` configuration vuejs/v2.cn.vuejs.org [plan]
References
- [1] chore(deps): bump axios from 1.15.0 to 1.15.2 ↗ vuejs/v2.cn.vuejs.org
FAQ
- What changed in Vue.js on May 11, 2026?
- Axios 1.15.2 patches prototype pollution vulnerabilities and closes an SSRF vector that could let attackers escape sandbox constraints via Unix domain sockets.
- What should Vue.js teams do about it?
- Upgrade axios to 1.15.2 in your Node dependencies before next deploy • Audit axios usage for Unix domain socket endpoints and evaluate `allowedSocketPaths` configuration
- Which Vue.js repositories shipped on May 11, 2026?
- vuejs/v2.cn.vuejs.org