Vulnerability in Archon project

[ankitdn]

While working on Archon project, I scanned the dependency manifest and found that the application uses a vulnerable version of axios affected by CVE-2025-62718. This vulnerability allows bypassing NO_PROXY rules due to improper hostname normalization (e.g., localhost. or [::1]). As a result, requests intended to bypass proxies may instead be routed through a proxy, potentially exposing sensitive internal services and leading to SSRF risks.

CVE Report
CVE Link

[stefans71]

I looked into this and here's what I found:

Axios is not a direct dependency — it's pulled in transitively by @slack/bolt (via @slack/web-api). The current lockfile resolves to axios@1.13.6, which is below the 1.15.0 fix version for CVE-2025-62718.

The Slack SDKs already allow the fixed version. @slack/bolt@4.7.0 requires axios: ^1.12.0 and @slack/web-api@7.15.0 requires axios: ^1.13.5 — both semver ranges accept 1.15.0+. So no upstream release is needed.

Suggested fix — add an axios override to the root package.json and reinstall:

  "overrides": {
-   "test-exclude": "^7.0.1"
+   "test-exclude": "^7.0.1",
+   "axios": "^1.15.0"
  }

Then bun install will resolve axios to 1.15.0 across all transitive consumers.

Practical risk context: This CVE requires a proxy with NO_PROXY rules to exploit. It only affects users running the Slack adapter, and only if their environment routes requests through a configured proxy. That said, it's a simple one-line fix so worth doing.