AI Security Summary
React SPAs using lodash and axios expose HTTP client configuration, template rendering, and object merge paths as the dominant attack surface. The recurring mistake is passing untrusted input into functions that unsafely traverse or construct JavaScript objects and strings without ownership or depth guards.
Code Injection via Unsafe Template and Function Constructor Sinks
Covers: CVE-2021-23337 · CVE-2026-4800 Risk: Attackers who control lodash template options or import key names can execute arbitrary code through the Function() constructor sink.
- NEVER pass user-controlled strings as the variable option or as imports key names to lodash template functions.
- ALWAYS treat every property of an options object passed to template-style APIs as a potential code injection vector, not just the template string itself.
- NEVER assume a previous validation fix covers all input paths into the same Function() constructor sink — audit every parameter route independently.
- ALWAYS reject or sanitize input at the boundary before it reaches any dynamic code-generation utility.
Prototype Pollution via Path Traversal and Object Merge Gadgets
Covers: CVE-2026-42033 · CVE-2026-42035 · CVE-2026-42039 · CVE-2026-42041 · CVE-2026-42042 · CVE-2026-2950 · CVE-2025-13465 · CVE-2026-25639 · CVE-2026-42034 · CVE-2026-42036 Risk: Prototype pollution from any dependency can be weaponized as a gadget to bypass authentication, inject headers, leak XSRF tokens, or crash the process via axios and lodash config merges.
- NEVER merge or assign configuration objects from user-controlled or JSON-parsed sources without first freezing Object.prototype or using Object.create(null) containers.
- ALWAYS guard every property read on a merged config with hasOwnProperty or Object.hasOwn — never rely on inherited property lookup for security-sensitive keys like validateStatus, withXSRFToken, or getHeaders.
- NEVER allow array-wrapped or bracket-notation path segments to flow into lodash path-manipulation functions such as _.unset or _.omit without explicit segment-type validation.
- ALWAYS enforce explicit depth limits and stack-cycle detection before recursively walking any user-supplied object structure.
- NEVER treat a previously patched path-validation fix as complete without auditing all sibling code paths that flow into the same sink.
- ALWAYS use strict boolean comparisons for security-gating flags rather than truthy/falsy coercion, so that a polluted prototype property cannot silently activate them.
SSRF and Proxy Bypass via URL and Hostname Normalization Failures
Covers: CVE-2025-27152 · CVE-2026-42043 · CVE-2025-62718 · CVE-2026-42038 · CVE-2026-40175 Risk: Attackers can force axios requests to internal or cloud-metadata endpoints by supplying absolute URLs or specially formatted hostnames that bypass NO_PROXY matching and header sanitization.
- NEVER allow user-supplied values to set or override the full request URL passed to axios — always construct URLs from a validated base and an allowlisted path.
- ALWAYS normalize hostnames to their canonical form, resolving loopback aliases and stripping trailing dots, before comparing against any proxy-bypass or allowlist rule.
- NEVER rely solely on string equality when matching NO_PROXY rules; resolve IP aliases and IPv6 literals to the same canonical representation used in the rule list.
- ALWAYS validate and strip outgoing HTTP headers at the application layer before axios sends them, especially when any upstream code performs object merges.
- NEVER assume baseURL alone constrains the final request destination when absolute URLs can be passed as the request path.
ReDoS via Unbounded Regex on User-Controlled Input
Covers: CVE-2021-3749 · CVE-2020-28500 Risk: User-controlled strings passed to axios or lodash functions backed by catastrophically backtracking regex patterns can stall the JavaScript event loop.
- NEVER pass unbounded or large user-supplied strings directly to utility functions that perform whitespace trimming, numeric coercion, or content-type parsing without first enforcing a length cap.
- ALWAYS apply an input length limit at the earliest entry point before any string reaches a library function whose regex behavior under adversarial input is unknown.
- NEVER assume a utility function is safe from ReDoS because it looks purely computational — verify the underlying regex handles worst-case input in linear time.
Credential and Token Leakage via Misconfigured HTTP Client Behavior
Covers: CVE-2023-45857 · CVE-2026-42042 Risk: XSRF tokens and session credentials can be silently forwarded to unintended third-party hosts due to insufficient origin checks in axios request logic.
- NEVER rely on axios default XSRF header behavior for cross-origin requests — explicitly scope XSRF token attachment to same-origin requests only.
- ALWAYS verify the request origin matches the intended host before attaching any authentication token or credential header.
- NEVER allow a falsy-check on a config flag to control whether sensitive tokens are included in outgoing requests; use strict equality and explicit opt-in logic.
Cross-cutting patterns (all React SPA projects)
- ALWAYS parse externally supplied JSON into a null-prototype object before passing it to any library function that performs property enumeration or merging.
- NEVER forward raw user input as configuration to a third-party HTTP client or utility function without an explicit allowlist of permitted keys and value shapes.
- ALWAYS enforce hard limits on payload size, recursion depth, and string length at the application boundary, independent of any limits the underlying library claims to apply.
- NEVER treat a security fix as complete if it patches only one syntactic form of the attack input — always enumerate sibling input paths that converge on the same vulnerable sink.