Fixed prototype pollution vulnerability (issue #7538) in axios's parseHe

[nmurrell07]

Closes #7306

Fixed prototype pollution vulnerability (issue #7538) in axios's parseHeaders.js by changing parsed = {} to parsed = Object.create(null) to prevent proto/constructor attacks. The fix is committed on branch fix/prototype-pollution-parseHeaders and ready for PR submission.

---

Summary by cubic

Prevents prototype pollution in header parsing by switching to a prototype-less headers object. Blocks __proto__/constructor attacks and slightly changes the shape of response.headers.

Description

• Summary of changes

  • Use Object.create(null) for the headers map in lib/helpers/parseHeaders.js.
  • Added jsdom to dependencies; updated package-lock.json.

• Reasoning

  • Malicious header names like __proto__ could modify object prototypes. This hardens parsing and closes that vector.

• Additional context

  • response.headers is now prototype-less. Avoid direct response.headers.hasOwnProperty(...); use Object.prototype.hasOwnProperty.call(response.headers, key).
  • Review hint: confirm if jsdom is required at runtime. It may belong in devDependencies.

Docs

• Add a note that response.headers is a plain dictionary (no prototype). Show examples using Object.prototype.hasOwnProperty.call(headers, 'header-name').

Testing

• No tests added.
• Tests needed:
  • Add a regression test ensuring a header named __proto__ does not pollute global prototypes.
  • Verify typical access and iteration over response.headers still work as expected.

^{Written for commit 2574e1c. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 3 files

Confidence score: 4/5

• This PR is likely safe to merge, with minimal risk: the only noted issue is dependency hygiene rather than a direct functional regression.
• In package.json, adding jsdom as a production dependency without clear runtime need can increase install size and attack surface for downstream consumers.
• Given the moderate severity (5/10) and high confidence (8/10), this is worth correcting soon but does not appear merge-blocking by itself.
• Pay close attention to package.json - verify whether jsdom should be moved to devDependencies or removed if unused at runtime.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:154">
P2: `jsdom` was added as a production dependency without evidence of runtime usage, causing unnecessary installation and attack-surface increase for all consumers.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: jsdom was added as a production dependency without evidence of runtime usage, causing unnecessary installation and attack-surface increase for all consumers.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 154:

<comment>`jsdom` was added as a production dependency without evidence of runtime usage, causing unnecessary installation and attack-surface increase for all consumers.</comment>

<file context>
@@ -151,6 +151,7 @@
   "dependencies": {
     "follow-redirects": "^1.15.11",
     "form-data": "^4.0.5",
+    "jsdom": "^29.0.1",
     "proxy-from-env": "^2.1.0"
   },
</file context>