Axios CVE-2026-40175: backport plan and version compatibility for 3.x users

OpenSearch Dashboards
, , , ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • OpenSearch: 3.2.0
  • OpenSearch Dashboards: 3.2.0 (tarball installation)
  • OS: Ubuntu 24.04
  • Browser: N/A (question is about server-side dependency)

Describe the issue:

I’d like to ask about the recommended remediation path for
CVE-2026-40175 (axios) for users currently running OpenSearch
Dashboards on a 3.x release.

PR #11721 resolved CVE-2026-40175 and CVE-2025-62718 on the main
branch by upgrading axios from 1.13.5 to 1.15.0. Related issues:
#11741, #11725.

However, users on released 3.x tarballs still ship with the
vulnerable axios as a runtime dependency via @osd/ui-shared-deps.

I have three questions:

1. Backport plan
Is there a plan to backport PR #11721 to any 3.x stable branch
for a patch release?

2. Version compatibility (if no backport)
If backporting is not feasible, would it be possible to run a
newer Dashboards version (one that includes the axios fix) against
an older 3.x cluster?

I understand Dashboards enforces strict version matching against
the cluster. Would any of these combinations work?

  • Cluster on an older 3.x patch + Dashboards on the latest 3.x
    patch within the same minor
  • Cluster on an older 3.x minor + Dashboards on a newer 3.x minor
    (any tolerance, or strictly rejected?)

3. Interim guidance
For users who cannot immediately perform a cluster upgrade, is
there any officially recommended mitigation (e.g., resolutions
entries as referenced in PR #11754)?

Configuration:

Tarball installation, default configuration. Running in an internal
network with authenticated access only. Cluster-wide upgrades
require change control approval and cannot be performed immediately.

Relevant Logs or Screenshots:

Verified in my 3.x tarball installation that axios is shipped as
a runtime dependency, not just build-time:

$ ls node_modules/@osd/dev-utils        # not present (build-only)
$ ls node_modules/@osd/ui-shared-deps   # present (runtime)
$ cat node_modules/axios/package.json | grep version
  "version": "1.13.5"

Related resources I’ve already reviewed:

  • PR #11721 (axios 1.13.5 → 1.15.0, merged to main)
  • PR #11754 (force axios >=1.15.0 via resolutions)
  • Issues #11725, #11741 (both closed by PR #11721)
  • SECURITY.md backport guidance
  • Official upgrade documentation on version matching

Thank you for any clarification!