fix(deps): vuln minor: axios, vite [services/frontend]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• services/frontend (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	1.8.4	1.16.0	minor	Direct	8 HIGH, 10 MODERATE, 1 LOW
vite	6.2.3	6.4.2	minor	Direct	2 HIGH, 11 MODERATE, 4 LOW

---

Security Details

🚨 Critical & High Severity (10 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.8.4	1.15.1
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.8.4	1.15.1
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	1.8.4	1.13.5
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	1.8.4	-
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.8.4	1.15.2
axios	CVE-2025-58754	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.8.4	-
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.8.4	1.15.1
axios	GHSA-4hjh-wcwx-xvwj	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.8.4	1.12.0
vite	CVE-2025-31125	high	This package is related to CVE CVE-2025-31125 which was detected by cisa.gov as actively being exploited in the wild	6.2.3	-
vite	GHSA-p9ff-h696-f583	HIGH	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket	6.2.3	8.0.5

ℹ️ Other Vulnerabilities (26)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.8.4	1.15.1
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.8.4	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.8.4	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.8.4	1.15.1
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.8.4	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.8.4	1.15.0
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.8.4	1.15.2
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.8.4	1.15.1
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.8.4	1.15.0
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.8.4	1.15.1
vite	CVE-2025-62522	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.3	-
vite	CVE-2025-31486	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.3	-
vite	GHSA-93m4-6634-74q7	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.3	7.1.11
vite	CVE-2025-32395	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.3	-
vite	GHSA-859w-5945-r5v3	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.3	6.3.4
vite	CVE-2025-46565	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.3	-
vite	CVE-2025-31125	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.3	-
vite	GHSA-4r4m-qw57-chr8	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.3	6.2.4
vite	GHSA-356w-63v5-8wf4	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.3	6.2.6
vite	GHSA-xcj6-pq6g-qj4x	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.3	6.2.5
vite	GHSA-4w7w-66w2-5vf9	MODERATE	Vite Vulnerable to Path Traversal in Optimized Deps .map Handling	6.2.3	8.0.5
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.8.4	1.15.1
vite	CVE-2025-58751	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.3	-
vite	GHSA-g4jq-h2w9-997c	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.3	7.1.5
vite	GHSA-jqfw-vq24-v9c3	LOW	Vite's server.fs settings were not applied to HTML files	6.2.3	7.1.5
vite	CVE-2025-58752	LOW	Vite's server.fs settings were not applied to HTML files	6.2.3	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System