Security Advisory - Published 2026-06-12 - Node.js

Node.js dependency batch: Axios, tmp, js-libp2p, and image-size

These CVEs sit in common building blocks. The first question is not whether your app imports the package somewhere. It is whether that package is used on a reachable path: outbound HTTP, file upload processing, temporary file creation, or public peer traffic.

Defensive scope: use this for owned codebases and approved client environments. It avoids attack samples and focuses on dependency inventory, reachable paths, and safe updates.

Package map

PackageCVEsFix targetRisk to check
AxiosCVE-2026-44486, 44487, 44488, 44492, 44494, 44495, 444960.32.0 / 1.16.0; 1.15.2 for one branchServer-side proxy behavior, redirects, body limits, browser XSRF cookie parsing.
tmpCVE-2026-44705, CVE-2026-499820.2.7User-controlled temporary file options.
js-libp2pCVE-2026-4667915.0.23Public gossipsub peers and memory pressure.
image-sizeCVE-2025-71319, 71329, 71330Patch or isolate parsingUntrusted JXL, HEIF, or ICNS uploads blocking the event loop.

Inventory commands

npm ls axios tmp image-size @libp2p/gossipsub
pnpm why axios tmp image-size @libp2p/gossipsub
yarn why axios tmp image-size @libp2p/gossipsub

Lockfile presence is only the first pass. Check whether the package is used in API handlers, SSR code, image upload workers, background queues, or public peer nodes.

Exposure checks

  • Axios: identify server-side code with authenticated proxies, custom NO_PROXY logic, automatic redirects, or fetch-adapter use.
  • tmp: search request handlers for user-provided prefix, postfix, dir, name, or template values.
  • image-size: move untrusted image metadata parsing into a worker with memory and time limits.
  • js-libp2p: check public gossipsub nodes, heap alerts, peer churn, and dependency pins.

Safe fix path

  1. Patch direct dependencies first, then regenerate the lockfile and check transitive copies.
  2. Restart API servers, SSR workers, image workers, and peer nodes after deployment.
  3. Rotate outbound proxy credentials if logs show unusual redirects or unexpected destinations.
  4. Add input type checks around temporary file options and move image parsing away from the request thread.

Ping7 repair path

Ping7 can review lockfiles, reachable Node.js routes, upload processing, proxy config, and post-patch deployment state. Start with CVE Repair if the affected service handles customer uploads, credentials, or production traffic.

References