## McKinsey's 'Agents at Scale' Codebase Exposes Critical Axios Vulnerability (CVE-2025-62718) A critical security flaw has been exposed within a high-profile McKinsey & Company code repository. The firm's internal JFrog Xray security scan flagged a severe vulnerability, CVE-2025-62718, in the 'agents-at-scale-ark' project. This is not a theoretical threat; the violation was detected in a specific build (6376) from a recent merge, indicating the vulnerable code was actively being integrated into the project's development pipeline. The finding underscores a direct and immediate risk to the integrity of McKinsey's internal AI and automation tooling. The vulnerability resides in the widely-used Axios HTTP client library, a core component for web communication in Node.js and browser applications. Prior to version 1.15.0, Axios contains a flaw in its hostname normalization logic when checking NO_PROXY rules. This defect allows requests to loopback addresses—such as 'localhost.' (with a trailing dot) or the IPv6 address '[::1]'—to bypass configured proxy restrictions entirely. In essence, traffic meant to be confined internally could be misrouted, creating a potential vector for data exfiltration or internal service manipulation within an environment that relies on Axios for API calls. The discovery places immediate operational pressure on the project's development and security teams. The scan, tagged with violation ID XRAY-963018, mandates a series of urgent next steps: reviewing the detailed workflow run, assessing the specific impact on the 'agents-at-scale' project, and applying patches or dependency updates. The alternative—adding the violation to a whitelist—would constitute a conscious decision to accept a critical security risk in a project bearing McKinsey's name, a move fraught with reputational and operational consequences for a firm advising global enterprises on digital transformation and security. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, vulnerability, CVE, McKinsey, Axios - **Credibility**: unverified - **Published**: 2026-04-09 19:27:16 - **ID**: 57482 - **URL**: https://whisperx.ai/en/intel/57482