IBM Support

IT48705: IBM STORAGE INSIGHTS SECURITY APAR FOR CVE-2025-58754

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2025-58754
    Description:
    Axios is a promise based HTTP client for the browser and
    Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on
    Node.js and is given a URL with the `data:` scheme, it does not
    perform HTTP. Instead, its Node http adapter decodes the entire
    payload into memory (`Buffer`/`Blob`) and returns a synthetic
    200 response. This path ignores `maxContentLength` /
    `maxBodyLength` (which only protect HTTP responses), so an
    attacker can supply a very large `data:` URI and cause the
    process to allocate unbounded memory and crash (DoS), even if
    the caller requested `responseType: 'stream'`. Versions 0.30.2
    and 1.12.0 contain a patch for the issue.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * IBM Storage Insights users                                   *
    *                                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * SECURITY APAR FOR:                                           *
    * CVE-2025-58754                                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

  • The fix for this APAR is contained in the following release:
    
    IBM Storage Insights 4Q25   [ 54X-IBM-SI ]
    ( release target 4Q 2025 / November )
    
    To protect IBM Storage Insights against emerging
    security vulnerabilities, the service was updated to
    protected against vulnerabilities.
    
    No action is required, there is nothing that you need
    to do following the IBM Storage Insights upgrade.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT48705

  • Reported component name

    STORAGE INSIGHT

  • Reported component ID

    5608TPCSI

  • Reported release

    54X

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2025-10-29

  • Closed date

    2025-11-13

  • Last modified date

    2025-11-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STORAGE INSIGHT

  • Fixed component ID

    5608TPCSI

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQRB8","label":"IBM Storage Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"54X","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]

Document Information

Modified date:
13 January 2026