Skip to content

[Aikido] Fix 5 critical issues in aws-sdk, @babel/traverse, @actions/core#2

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-20074350-tsc2
Open

[Aikido] Fix 5 critical issues in aws-sdk, @babel/traverse, @actions/core#2
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-20074350-tsc2

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Mar 21, 2026

Copy link
Copy Markdown

Upgrade aws-sdk, @babel/traverse, and @actions/core to fix prototype pollution, RCE during compilation, and environment variable injection vulnerabilities.

✅ 5 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2020-28472
 
🚨 CRITICAL
 [aws-sdk] A prototype pollution vulnerability exists in the INI file parser that allows attackers to pollute object prototypes through malicious INI files, potentially enabling further exploitation depending on application context. 
AIKIDO-2025-10745
 
MEDIUM
 [@babel/traverse] A vulnerability allows remote code execution during compilation when processing malicious input with certain plugins that use internal evaluation methods. This affects plugins like @babel/plugin-transform-runtime and @babel/preset-env with useBuiltIns option. 
CVE-2023-0842
 
MEDIUM
 [xml2js] version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited. 
CVE-2020-15228
 
MEDIUM
 [@actions/core] Untrusted data logged to stdout can be interpreted as runner commands, allowing attackers to modify environment variables and PATH without authorization. This enables arbitrary code execution through workflow manipulation. 
CVE-2022-35954
 
MEDIUM
 [@actions/core] The core.exportVariable function uses a predictable delimiter that attackers can exploit to break out of variables and assign arbitrary values to other environment variables, potentially modifying the path or other critical variables. This allows arbitrary environment variable injection when untrusted values are written to GITHUB_ENV.

aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Mar 21, 2026
View reviewed changes
Comment thread package-lock.json

@aikido-pr-checks aikido-pr-checks Bot Mar 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 Open source vulnerabilities detected - high severity
Aikido detected 5 vulnerabilities across 1 package, it includes 3 high and 2 medium vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants