Publish GHSA-58q2-9x27-h2jm

advisory-database[bot] · advisory-database[bot] · commit 4cb897f957b6 · 2026-01-15T22:33:00.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-58q2-9x27-h2jm/GHSA-58q2-9x27-h2jm.json b/advisories/github-reviewed/2026/01/GHSA-58q2-9x27-h2jm/GHSA-58q2-9x27-h2jm.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-58q2-9x27-h2jm",
-  "modified": "2026-01-15T20:12:25Z",
+  "modified": "2026-01-15T22:31:35Z",
   "published": "2026-01-15T20:12:25Z",
   "aliases": [],
   "summary": "solspace/craft-freeform Has a DoS Vulnerability",
-  "details": "### Summary\nFreeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754).\n\nFreeform version: 4.1.29\nCraft CMS version: 4.16.8\n\n### Impact\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.",
+  "details": "### Summary\nFreeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754).\n\nFreeform version: 4.1.29\nCraft CMS version: 4.16.8\n\n### Impact\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\nhttps://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj\nhttps://github.com/axios/axios/pull/7011\nhttps://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593\nhttps://github.com/axios/axios/releases/tag/v1.12.0",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -23,17 +23,17 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "4.1.29"
+              "introduced": "0"
             },
             {
               "fixed": "4.1.30"
             }
           ]
         }
       ],
-      "versions": [
-        "4.1.29"
-      ]
+      "database_specific": {
+        "last_known_affected_version_range": "< 4.1.29"
+      }
     }
   ],
   "references": [

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-58q2-9x27-h2jm",`
`4`		`- "modified": "2026-01-15T20:12:25Z",`
	`4`	`+ "modified": "2026-01-15T22:31:35Z",`
`5`	`5`	`"published": "2026-01-15T20:12:25Z",`
`6`	`6`	`"aliases": [],`
`7`	`7`	`"summary": "solspace/craft-freeform Has a DoS Vulnerability",`
`8`		- "details": "### Summary\nFreeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754).\n\nFreeform version: 4.1.29\nCraft CMS version: 4.16.8\n\n### Impact\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.",
	`8`	+ "details": "### Summary\nFreeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754).\n\nFreeform version: 4.1.29\nCraft CMS version: 4.16.8\n\n### Impact\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\nhttps://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj\nhttps://github.com/axios/axios/pull/7011\nhttps://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593\nhttps://github.com/axios/axios/releases/tag/v1.12.0",
`9`	`9`	`"severity": [`
`10`	`10`	`{`
`11`	`11`	`"type": "CVSS_V4",`
`@@ -23,17 +23,17 @@`
`23`	`23`	`"type": "ECOSYSTEM",`
`24`	`24`	`"events": [`
`25`	`25`	`{`
`26`		`- "introduced": "4.1.29"`
	`26`	`+ "introduced": "0"`
`27`	`27`	`},`
`28`	`28`	`{`
`29`	`29`	`"fixed": "4.1.30"`
`30`	`30`	`}`
`31`	`31`	`]`
`32`	`32`	`}`
`33`	`33`	`],`
`34`		`- "versions": [`
`35`		`- "4.1.29"`
`36`		`- ]`
	`34`	`+ "database_specific": {`
	`35`	`+ "last_known_affected_version_range": "< 4.1.29"`
	`36`	`+ }`
`37`	`37`	`}`
`38`	`38`	`],`
`39`	`39`	`"references": [`