Security Advisory - Published 2026-06-12 - Node.js
Node.js dependency batch: Axios, tmp, js-libp2p, and image-size
These CVEs sit in common building blocks. The first question is not whether your app imports the package somewhere. It is whether that package is used on a reachable path: outbound HTTP, file upload processing, temporary file creation, or public peer traffic.
Package map
| Package | CVEs | Fix target | Risk to check |
|---|---|---|---|
| Axios | CVE-2026-44486, 44487, 44488, 44492, 44494, 44495, 44496 | 0.32.0 / 1.16.0; 1.15.2 for one branch | Server-side proxy behavior, redirects, body limits, browser XSRF cookie parsing. |
| tmp | CVE-2026-44705, CVE-2026-49982 | 0.2.7 | User-controlled temporary file options. |
| js-libp2p | CVE-2026-46679 | 15.0.23 | Public gossipsub peers and memory pressure. |
| image-size | CVE-2025-71319, 71329, 71330 | Patch or isolate parsing | Untrusted JXL, HEIF, or ICNS uploads blocking the event loop. |
Inventory commands
npm ls axios tmp image-size @libp2p/gossipsub
pnpm why axios tmp image-size @libp2p/gossipsub
yarn why axios tmp image-size @libp2p/gossipsub Lockfile presence is only the first pass. Check whether the package is used in API handlers, SSR code, image upload workers, background queues, or public peer nodes.
Exposure checks
- Axios: identify server-side code with authenticated proxies, custom NO_PROXY logic, automatic redirects, or fetch-adapter use.
- tmp: search request handlers for user-provided prefix, postfix, dir, name, or template values.
- image-size: move untrusted image metadata parsing into a worker with memory and time limits.
- js-libp2p: check public gossipsub nodes, heap alerts, peer churn, and dependency pins.
Safe fix path
- Patch direct dependencies first, then regenerate the lockfile and check transitive copies.
- Restart API servers, SSR workers, image workers, and peer nodes after deployment.
- Rotate outbound proxy credentials if logs show unusual redirects or unexpected destinations.
- Add input type checks around temporary file options and move image parsing away from the request thread.
Ping7 repair path
Ping7 can review lockfiles, reachable Node.js routes, upload processing, proxy config, and post-patch deployment state. Start with CVE Repair if the affected service handles customer uploads, credentials, or production traffic.