RHSA-2026:34527

Vulnerability from csaf_redhat - Published: 2026-07-01 20:43 - Updated: 2026-07-02 13:59
Summary
Red Hat Security Advisory: General availability of the satellite/iop-host-inventory-frontend-rhel9 container image
Severity
Important
Notes
Topic: A new satellite/iop-host-inventory-frontend-rhel9 container image is now generally available in the Red Hat container registry.
Details: Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Red Hat Lightspeed in Satellite locally, you can generate Red Hat Lightspeed recommendations without sending system data to Red Hat services.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.

CWE-201 - Insertion of Sensitive Information Into Sent Data
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).

CWE-770 - Allocation of Resources Without Limits or Throttling
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64
Vendor Fix fix
Workaround
Threats
Impact Important
References
URL Category
https://access.redhat.com/errata/RHSA-2026:34527 self
https://access.redhat.com/documentation/en-us/red… external
https://access.redhat.com/security/cve/CVE-2025-66471 external
https://access.redhat.com/security/cve/CVE-2026-44487 external
https://access.redhat.com/security/cve/CVE-2026-44488 external
https://access.redhat.com/security/cve/CVE-2026-44494 external
https://access.redhat.com/security/updates/classi… external
https://catalog.redhat.com/software/containers/search external
https://docs.redhat.com/en/documentation/red_hat_… external
https://docs.redhat.com/en/documentation/red_hat_… external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2025-66471 self
https://bugzilla.redhat.com/show_bug.cgi?id=2419467 external
https://www.cve.org/CVERecord?id=CVE-2025-66471 external
https://nvd.nist.gov/vuln/detail/CVE-2025-66471 external
https://github.com/urllib3/urllib3/commit/c19571d… external
https://github.com/urllib3/urllib3/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-44487 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487948 external
https://www.cve.org/CVERecord?id=CVE-2026-44487 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44487 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44488 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487949 external
https://www.cve.org/CVERecord?id=CVE-2026-44488 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44488 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44494 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487942 external
https://www.cve.org/CVERecord?id=CVE-2026-44494 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44494 external
https://github.com/axios/axios/security/advisorie… external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A new satellite/iop-host-inventory-frontend-rhel9 container image is now generally available in the Red Hat container registry.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Lightspeed in Satellite analyzes system health and configuration by applying  predefined rules to a small set of local data, such as installed packages,  running services, and configuration settings.  When you install Red Hat Lightspeed in Satellite locally,  you can generate Red Hat Lightspeed recommendations without  sending system data to Red Hat services. ",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:34527",
        "url": "https://access.redhat.com/errata/RHSA-2026:34527"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66471",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66471"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/software/containers/search",
        "url": "https://catalog.redhat.com/software/containers/search"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite",
        "url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite",
        "url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_34527.json"
      }
    ],
    "title": "Red Hat Security Advisory: General availability of the satellite/iop-host-inventory-frontend-rhel9 container image",
    "tracking": {
      "current_release_date": "2026-07-02T13:59:32+00:00",
      "generator": {
        "date": "2026-07-02T13:59:32+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.1"
        }
      },
      "id": "RHSA-2026:34527",
      "initial_release_date": "2026-07-01T20:43:10+00:00",
      "revision_history": [
        {
          "date": "2026-07-01T20:43:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-07-01T20:43:11+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-07-02T13:59:32+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Satellite 6.19",
                "product": {
                  "name": "Red Hat Satellite 6.19",
                  "product_id": "Red Hat Satellite 6.19",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:satellite:6.19::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Satellite"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64",
                "product": {
                  "name": "registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64",
                  "product_id": "registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/iop-host-inventory-frontend-rhel9@sha256%3Aa3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14?arch=amd64\u0026repository_url=registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9\u0026tag=1782253070"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64 as a component of Red Hat Satellite 6.19",
          "product_id": "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
        },
        "product_reference": "registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64",
        "relates_to_product_reference": "Red Hat Satellite 6.19"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66471",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2025-12-05T17:02:21.597728+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419467"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3 Streaming API improperly handles highly compressed data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419467",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419467"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66471",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66471",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7",
          "url": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"
        }
      ],
      "release_date": "2025-12-05T16:06:08.531000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-01T20:43:10+00:00",
          "details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:34527"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3 Streaming API improperly handles highly compressed data"
    },
    {
      "cve": "CVE-2026-44487",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2026-06-11T17:01:34.091476+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487948"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487948",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
        }
      ],
      "release_date": "2026-06-11T15:38:25.150000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-01T20:43:10+00:00",
          "details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:34527"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
    },
    {
      "cve": "CVE-2026-44488",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-11T17:01:36.836488+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487949"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487949",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
        }
      ],
      "release_date": "2026-06-11T15:37:38.013000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-01T20:43:10+00:00",
          "details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:34527"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
    },
    {
      "cve": "CVE-2026-44494",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-11T17:01:12.945664+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487942"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487942",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
        }
      ],
      "release_date": "2026-06-11T15:32:03.155000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-01T20:43:10+00:00",
          "details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:34527"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Satellite 6.19:registry.redhat.io/satellite/iop-host-inventory-frontend-rhel9@sha256:a3865229f5dfcfd023518551a61cbc73bdddcfe3f830ad9810aaaf4a17e32d14_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…