From d7ddbdeff23f058091852bbfac8669bc0be910fb Mon Sep 17 00:00:00 2001
From: subratadeypappu <subrata@appsmith.com>
Date: Fri, 17 Oct 2025 17:02:48 +0600
Subject: [PATCH] fix: CVE-2025-58754 by upgrading axios dependency (#41295)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Description
https://github.com/appsmithorg/appsmith-ee/security/dependabot/438


Fixes CVE-2025-58754


```
client % yarn why axios
├─ appsmith-rts@workspace:packages/rts
│  └─ axios@npm:1.12.2 (via npm:^1.12.0)
│
├─ appsmith@workspace:.
│  └─ axios@npm:1.12.2 (via npm:^1.12.0)
│
└─ wait-on@npm:7.2.0
   └─ axios@npm:1.12.2 (via npm:^1.12.0)

```

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/18520882251>
> Commit: 59f9b9b973b9673e983ab9e0437d812471d179b8
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=18520882251&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Wed, 15 Oct 2025 08:31:04 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated axios to ^1.12.0 across the client, including the RTS package
and resolution map, ensuring consistent dependency versions.
* Improves overall stability and compatibility by incorporating upstream
fixes and enhancements.
  * Reduces the risk of dependency conflicts in the client workspace.
  * No user-facing behavior changes are expected.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 app/client/package.json              |  4 ++--
 app/client/packages/rts/package.json |  2 +-
 app/client/yarn.lock                 | 14 +++++++-------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/client/package.json b/app/client/package.json
index 9a446dda8d..06c4555eb6 100644
--- a/app/client/package.json
+++ b/app/client/package.json
@@ -110,7 +110,7 @@
     "assert-never": "^1.2.1",
     "astring": "^1.7.5",
     "async-mutex": "^0.5.0",
-    "axios": "^1.8.3",
+    "axios": "^1.12.0",
     "bfj": "^7.0.2",
     "camelcase": "^6.2.1",
     "classnames": "^2.3.1",
@@ -426,7 +426,7 @@
     "@blueprintjs/icons": "3.22.0",
     "@types/react": "^17.0.2",
     "postcss": "8.4.31",
-    "axios": "^1.8.3",
+    "axios": "^1.12.0",
     "esbuild": "^0.25.1",
     "path-to-regexp@^1.7.0": "1.9.0",
     "prismjs": "1.30.0",
diff --git a/app/client/packages/rts/package.json b/app/client/packages/rts/package.json
index 85d37ef455..7036663c8d 100644
--- a/app/client/packages/rts/package.json
+++ b/app/client/packages/rts/package.json
@@ -23,7 +23,7 @@
     "@opentelemetry/sdk-trace-node": "^1.27.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
     "@shared/ast": "workspace:^",
-    "axios": "^1.8.3",
+    "axios": "^1.12.0",
     "dotenv": "10.0.0",
     "express": "^4.20.0",
     "express-validator": "^6.14.2",
diff --git a/app/client/yarn.lock b/app/client/yarn.lock
index 72703d6dcf..04dcebce9e 100644
--- a/app/client/yarn.lock
+++ b/app/client/yarn.lock
@@ -13605,7 +13605,7 @@ __metadata:
     "@types/node": "*"
     "@types/nodemailer": ^6.4.17
     "@types/readline-sync": ^1.4.8
-    axios: ^1.8.3
+    axios: ^1.12.0
     dotenv: 10.0.0
     express: ^4.20.0
     express-validator: ^6.14.2
@@ -13748,7 +13748,7 @@ __metadata:
     assert-never: ^1.2.1
     astring: ^1.7.5
     async-mutex: ^0.5.0
-    axios: ^1.8.3
+    axios: ^1.12.0
     babel-jest: ^27.4.2
     babel-loader: ^8.2.3
     babel-plugin-lodash: ^3.3.4
@@ -14416,14 +14416,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:^1.8.3":
-  version: 1.8.3
-  resolution: "axios@npm:1.8.3"
+"axios@npm:^1.12.0":
+  version: 1.12.2
+  resolution: "axios@npm:1.12.2"
   dependencies:
     follow-redirects: ^1.15.6
-    form-data: ^4.0.0
+    form-data: ^4.0.4
     proxy-from-env: ^1.1.0
-  checksum: 85fc8ad7d968e43ea9da5513310637d29654b181411012ee14cc0a4b3662782e6c81ac25eea40b5684f86ed2d8a01fa6fc20b9b48c4da14ef4eaee848fea43bc
+  checksum: f0331594fe053a4bbff04104edb073973a3aabfad2e56b0aa18de82428aa63f6f0839ca3d837258ec739cb4528014121793b1649a21e5115ffb2bf8237eadca3
   languageName: node
   linkType: hard