Skip to content

[Aikido] Fix 5 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#23

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-16849845-2dk5
Closed

[Aikido] Fix 5 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#23
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-16849845-2dk5

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Feb 19, 2026

Upgrades multiple dependencies to address prototype pollution, ReDoS, and AWS SDK configuration vulnerabilities, mitigating potential remote code execution and denial of service risks.

✅ Code not affected by breaking changes.

The breaking change in @smithy/config-resolver (dropping Node.js 16 support) does not affect this codebase. The package is only a transitive dependency brought in through the AWS SDK clients used by oclif, which is itself a dependency of @asyncapi/cli.

The codebase does not directly import or use @smithy/config-resolver, and the dependency chain already requires Node.js >= 18.0.0 (enforced by the oclif package). Therefore, the Node.js 16 support removal has no practical impact on this project.

✅ 5 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-13465
 
MEDIUM
 [lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality. 
CVE-2025-64718
 
MEDIUM
 [lodash] A prototype pollution vulnerability allows attackers to modify object prototypes through malicious YAML documents, potentially enabling arbitrary code execution or application compromise when parsing untrusted input. 
AIKIDO-2025-10809
 
MEDIUM
 [lodash] A prototype pollution vulnerability in object merging allows attackers to inject malicious properties via crafted YAML input, potentially leading to remote code execution, denial of service, or other security breaches. 
CVE-2025-69873
 
LOW
 [lodash] A ReDoS vulnerability in the $data option allows attackers to inject malicious regex patterns that cause catastrophic backtracking, enabling denial of service through a single HTTP request with minimal payload. 
GHSA-6475-r3vj-m8vf
 
LOW
 [lodash] Invalid region values in AWS SDK configuration could allow improper routing of API calls to non-AWS hosts if an actor with environment access sets the region field to an invalid value. A validation enhancement has been implemented to ensure regions are valid host labels.

@vercel
Copy link

vercel bot commented Feb 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cash-register-api-example-client Error Error Feb 19, 2026 11:39pm

Request Review

@aikido-autofix aikido-autofix bot closed this Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants