Update Axios to 1.11.0+ to fix DoS vulnerability

yohork · January 12, 2026, 2:50am

Description:
Indico 3.3.8 uses Axios 1.8.2, which contains a known DoS vulnerability (Axios < 1.11.0).

Vulnerability:

Attacker can supply large data: URIs to cause memory exhaustion
Bypasses maxContentLength/maxBodyLength limits
Results in application crash

Fix:
Upgrade Axios from 1.8.2 to 1.11.0 or later in package.json

Severity: Medium-High

References:

Axios Security Advisory: https://github.com/axios/axios/releases/tag/v1.11.0

ThiefMaster · January 12, 2026, 7:55am

This vulnerability is completely irrelevant for Indico since we only use Axios client-side. The “attacker” would be attacking their own web browser. It is only a vulnerability in case of server-side JavaScript which we do not use.

yohork · January 14, 2026, 12:55am

Thank you for the clarification! You’re absolutely right.

I now understand that this vulnerability only affects server-side Node.js
applications, not client-side browser usage like Indico. I appreciate your
quick response!