Last Week in AppSec for 29. July 2025

Here are some news items our team found interesting over the past week, which you might have missed.

• Go package ekuiper, a moderately popular server and framework for IoT data analytics and stream processing, has a SQL Injection flaw (GHSA-526j-mv3p-f4vv and CVE-2025-54379), allowing attackers to perform damaging SQL operations; the example given drops the users table entirely.
• Popular JavaScript HTTP client library axios is impacted by a serious vulnerability in a downstream library. While the advisory has been withdrawn for Axios itself, the vulnerability is still present in the transitive dependency form-data. This means you can fix either by updating axios to at least 1.11.0, or explicitly override the form-data version to 4.0.4.

Don’t miss AppSec news!

Subscribe to Checkmarx Zero updates

Never Miss Checkmarx
Zero Research Updates. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.

IoT data analytics tool ekuiper has a SQLi

Go package ekuiper, a moderately popular server and framework for IoT data analytics and stream processing, has a SQL Injection flaw (GHSA-526j-mv3p-f4vv and CVE-2025-54379), allowing attackers to perform damaging SQL operations; the example given drops the users table entirely.

While not massively popular, the ekuiper package’s intended use case is deployment on edge IoT devices, making patching processes more difficult. This highlights the need for IoT adopters to be cautious and deliberate about product selection and have a plan for vulnerability management.

Axios system has exploitable unsafe random in transitive dependency

Popular JavaScript HTTP client library axios is impacted by a serious vulnerability in a downstream library. While the advisory has been withdrawn for Axios itself, the vulnerability is still present in the transitive dependency form-data. This means you can fix either by updating axios to at least 1.11.0, or explicitly override the form-data version to 4.0.4.

While insufficient randomness can be difficult to exploit – typically requiring observing a sizeable sample of the randomly-generated values – the impact in this case could be significant as it allows an attacker to control form data being sent to an application. This advisory has a published proof-of-concept, which often makes exploitation more likely.

The publication and withdrawal of the Axios advisory highlights the challenges AppSec and Dev teams face with managing transitive dependencies. The issue is not, from one point of view, in Axios at all. But adopters of Axios are still impacted by it, and are faced with additional complexity in future maintenance if they fix the vulnerability by forcing a transitive dependency override.

Subscribe to Checkmarx Zero updates

Never Miss Checkmarx
Zero Research Updates. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.