CVE-2026-40175 - critical vulnerability - Axios

[kamil-duda]

There is a critical vulnerability in Azurite image (check 3.35.0 version) related to Axios.

trivy image mcr.microsoft.com/azure-storage/azurite:3.35.0 --scanners vuln --ignore-unfixed --severity CRITICAL

...

┌──────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                            Title                            │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ axios (package.json)     │ CVE-2025-62718 │ CRITICAL │ fixed  │ 0.21.4            │ 1.15.0, 0.31.0      │ axios: Axios: Server-Side Request Forgery and proxy bypass  │
│                          │                │          │        │                   │                     │ due to improper hostname...                                 │
│                          │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-62718                  │
│                          ├────────────────┤          │        │                   │                     ├─────────────────────────────────────────────────────────────┤
│                          │ CVE-2026-40175 │          │        │                   │                     │ axios: Axios: Remote Code Execution via Prototype Pollution │
│                          │                │          │        │                   │                     │ escalation                                                  │
│                          │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-40175                  │
│                          ├────────────────┤          │        ├───────────────────┤                     ├─────────────────────────────────────────────────────────────┤
│                          │ CVE-2025-62718 │          │        │ 0.27.2            │                     │ axios: Axios: Server-Side Request Forgery and proxy bypass  │
│                          │                │          │        │                   │                     │ due to improper hostname...                                 │
│                          │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-62718                  │
│                          ├────────────────┤          │        │                   │                     ├─────────────────────────────────────────────────────────────┤
│                          │ CVE-2026-40175 │          │        │                   │                     │ axios: Axios: Remote Code Execution via Prototype Pollution │
│                          │                │          │        │                   │                     │ escalation                                                  │
│                          │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-40175                  │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤

[timtucker-dte]

Duplicate of #2500

The solution here is updating dependencies and moving from Axios to native fetch.

Keeping up with dependencies has been an issue in this project for years and doesn't seem to be a very high priority for Microsoft.