## IBM Digital Experience Package 'ibmdotcom-services' Exposes High-Severity Security Vulnerabilities via Axios Dependency
A critical security alert has been flagged for IBM's official digital experience package, `ibmdotcom-services-2.48.0-rc.0.tgz`. The release candidate contains two vulnerabilities, with the highest severity rated at 7.2 on the CVSS scale, stemming from a compromised version of the widely-used `axios` HTTP client library. This exposure is present in the core dependency chain of a key IBM design system component, raising immediate security risks for any downstream applications or services that integrate this package.

The vulnerability is traced to a specific commit (`ae1f23e32f09fd99475ed9ab481d8b5dbaf13e3d`) in the public `carbon-for-ibm-dotcom` GitHub repository. The path to the vulnerable file is `/.yarn/cache/axios-npm-1.13.6-d50d919f38-a7ed83c2af.zip`, indicating the flaw is embedded within the build's cached dependencies. While the exact nature of the CVE-2025-62718 is detailed in vulnerability databases, its presence in a pre-release version of an IBM-supported package signals a potential lapse in the security vetting process for dependencies, especially for a component central to IBM's web and digital product ecosystem.

This discovery places scrutiny on IBM's open-source software supply chain security. Organizations relying on the Carbon for IBM Dotcom design system for their digital platforms may now be at risk if they have integrated this release candidate. The incident underscores the persistent threat of transitive dependencies in enterprise-grade software and pressures IBM to swiftly remediate the issue before the vulnerable package moves from release candidate to a stable version, which could significantly widen the impact.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, supply-chain, open-source, IBM
- **Credibility**: unverified
- **Published**: 2026-04-20 19:23:09
- **ID**: 72956
- **URL**: https://whisperx.ai/en/intel/72956