Security: Outdated Axios Version with Known CVEs in ringcentral-embeddable 2.0.0 #1128
Description
Hello RingCentral Team,
We identified that the embeddable widget served from:
https://apps.ringcentral.com/integration/ringcentral-embeddable/2.0.0/app.js
is currently bundling Axios version 1.4.0 / 1.7.5, which is affected by multiple published CVEs:
CVE-2025-27152 — SSRF and credential leakage (fixed in 1.8.2+)
CVE-2025-58754 — Axios vulnerability (fixed in later versions)
CVE-2024-39338 — SSRF via server-side relative URL (fixed in 1.7.4+)
Although these vulnerabilities primarily affect server-side usage of Axios, they are flagged in security scans and present compliance concerns.
Requested Action:
Please upgrade Axios to:
Minimum: 1.8.2 (addresses CVE-2025-27152)
Recommended: 1.13.5 (addresses all currently known Axios CVEs)
Please let us know if there is a secure build or roadmap for dependency updates.
Thank you.