[Aikido] Fix 21 critical issues in axios, lodash, immutable

[aikido-autofix]

Upgrade axios and lodash to fix critical SSRF, proxy bypass, prototype pollution, and RCE vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes affect this codebase. While lodash is listed as a dependency in package.json, searches across all source files found no usage of the affected methods (_.unset, _.omit, or _.template). The codebase does not import or use lodash in any of its TypeScript/JavaScript source files.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

✅ 21 CVEs resolved by this upgrade, including 6 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-42043	🚨 CRITICAL	[axios] An attacker who can influence the target URL can bypass NO_PROXY protection by using any address in the 127.0.0.0/8 range (except 127.0.0.1), allowing requests to reach unintended destinations. This enables potential information disclosure or unauthorized access to local services.
CVE-2025-62718	🚨 CRITICAL	[axios] Improper hostname normalization in NO_PROXY rule checking allows requests to loopback addresses (localhost., [::1]) to bypass proxy protections, enabling proxy bypass and potential SSRF attacks against internal services. This vulnerability permits attackers to reach sensitive services despite configured NO_PROXY protections.
CVE-2026-42264	🚨 CRITICAL	[axios] Prototype pollution vulnerability in HTTP adapter allows attackers to exploit five config properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) without hasOwnProperty guards, enabling RCE or request manipulation when Object.prototype is polluted by other dependencies.
CVE-2026-42044	🚨 CRITICAL	[axios] Prototype Pollution vulnerability allows attackers to manipulate JSON API responses through a polluted parseReviver function, enabling privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function unsafely calls JSON.parse with an unvalidated parseReviver parameter from the config object.
CVE-2026-40175	HIGH	[axios] A prototype pollution vulnerability in a third-party dependency can be exploited to inject unsanitized header values into outbound HTTP requests. This allows attackers to manipulate request headers, potentially leading to request smuggling, cache poisoning, or other header-based attacks.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
CVE-2026-42038	HIGH	[axios] Incomplete hostname normalization in no_proxy bypass allows requests to IP loopback addresses (127.0.0.1, [::1]) to route through proxy when no_proxy=localhost is set, enabling proxy bypass circumvention. This occurs due to pure string matching without IP alias resolution.
CVE-2026-42039	HIGH	[axios] A deeply nested object passed as request data causes the toFormData function to recursively walk without depth limits, crashing the Node.js process with a RangeError (Denial of Service). This vulnerability allows attackers to trigger application crashes through maliciously crafted nested payloads.
CVE-2026-42033	HIGH	[axios] A prototype pollution vulnerability allows attackers to intercept and modify JSON responses or hijack HTTP transport to access credentials and headers. This requires prior prototype pollution from a co-dependency but enables complete request/response manipulation.
CVE-2026-42035	HIGH	[axios] A prototype pollution gadget in the HTTP adapter allows attackers to inject arbitrary HTTP headers into outgoing requests by polluting Object.prototype with specific properties. This enables header injection attacks that could lead to request manipulation and potential security bypasses.
CVE-2026-42041	MEDIUM	[axios] A Prototype Pollution vulnerability allows attackers to suppress HTTP error responses by polluting Object.prototype.validateStatus, causing all status codes to be treated as successful and bypassing authentication and error handling.
CVE-2026-42042	MEDIUM	[axios] Uses truthy/falsy semantics instead of strict boolean comparison for XSRF token protection, allowing attackers to bypass same-origin checks via prototype pollution or misconfiguration and steal XSRF tokens sent to cross-origin servers. This enables CSRF attacks against protected endpoints.
CVE-2026-42034	MEDIUM	[axios] A vulnerability allows attackers to bypass the maxBodyLength restriction on stream request bodies when maxRedirects is set to 0, enabling oversized uploads to be sent despite strict body limits. This could lead to denial of service or resource exhaustion attacks.
CVE-2026-42036	MEDIUM	[axios] When responseType is set to 'stream', the library fails to enforce maxContentLength limits, allowing attackers to bypass response-size restrictions and cause denial of service through unbounded data consumption.
CVE-2026-42037	MEDIUM	[axios] Unsanitized CRLF sequences in the Content-Type header of multipart form-data parts allow header injection attacks when processing user-controlled Blob/File objects. An attacker can inject arbitrary MIME headers into the multipart body, bypassing Node.js v18+ header protections.
AIKIDO-2026-10509	MEDIUM	[axios] Prototype pollution vulnerability allows attackers to inject malicious headers into requests through unsafe FormData detection and header merging, potentially enabling authorization bypass or request manipulation.
CVE-2026-42040	LOW	[axios] A character mapping in the encode() function incorrectly reverses percent-encoding of null bytes, converting %00 back to raw null bytes and potentially enabling injection attacks in certain contexts. The vulnerability has limited impact as standard axios request flows are unaffected.
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465	MEDIUM	[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-29063	🚨 CRITICAL	[immutable] Prototype Pollution vulnerability in mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs allows attackers to modify object prototypes and potentially execute arbitrary code or bypass security controls.

🔗 Related Tasks

• https://centreon.atlassian.net/browse/LOG-1154

[github-actions]

YARN is no longer allowed. Kindly replace the lockfile using PNPM. Found in ./quickwit/quickwit-ui/yarn.lock