ZAP Scanning Report

The identified library appears to be vulnerable.

The identified library axios, version 1.6.8 is vulnerable.

CVE-2025-62718

CVE-2026-39865

CVE-2025-27152

CVE-2024-39338

CVE-2025-58754

CVE-2026-25639

CVE-2026-40175

https://github.com/axios/axios/issues/6463

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

https://github.com/axios/axios/pull/6539

https://github.com/axios/axios/pull/10661

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

https://github.com/axios/axios/pull/10660

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

https://github.com/advisories/GHSA-jr5f-v2jv-69x6

https://github.com/axios/axios/releases/tag/v1.12.0

https://github.com/axios/axios/pull/7388

https://github.com/axios/axios/releases/tag/v1.13.2

https://github.com/axios/axios/pull/7369

https://github.com/axios/axios/releases/tag/v1.15.0

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

https://github.com/axios/axios/releases

https://github.com/axios/axios/releases/tag/v1.7.4

https://github.com/axios/axios/releases/tag/v1.8.2

https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

https://github.com/advisories/GHSA-8hc4-vh64-cxmj

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593

https://github.com/axios/axios/releases/tag/v1.13.5

https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a

https://nvd.nist.gov/vuln/detail/CVE-2024-39338

https://github.com/axios/axios/releases/tag/v0.30.3

https://github.com/axios/axios

https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f

https://github.com/axios/axios/pull/6543

https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6

https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1

https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html

https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

https://nvd.nist.gov/vuln/detail/CVE-2025-27152

https://github.com/axios/axios/pull/7011

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8

Upgrade to the latest version of the affected library.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Provide a valid integrity attribute to the tag.

The page includes one or more script files from a third-party domain.

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

A timestamp was disclosed by the application/web server. - Unix

1521486534, which evaluates to: 2018-03-19 19:08:54.

1541459225, which evaluates to: 2018-11-05 23:07:05.

1694144372, which evaluates to: 2023-09-08 03:39:32.

1779033703, which evaluates to: 2026-05-17 16:01:43.

1899447441, which evaluates to: 2030-03-11 08:17:21.

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

No links have been found while there are scripts, which is an indication that this is a modern web application.

No links have been found while there are scripts, which is an indication that this is a modern web application.

No links have been found while there are scripts, which is an indication that this is a modern web application.

No links have been found while there are scripts, which is an indication that this is a modern web application.

No links have been found while there are scripts, which is an indication that this is a modern web application.

This is an informational alert and so no changes are required.

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".