[Aikido] Fix 8 security issues in socket.io-parser, next, axios and 1 more

[aikido-autofix]

Upgrade socket.io-parser, Next, Axios, and AI to fix DoS vulnerabilities including memory exhaustion, request smuggling, and malicious config crashes. This update includes breaking changes that require manual migration.

⚠️ Code affected by breaking changes.

The codebase is already using ai package version 6.0.138 (newer than the target 6.0.84), but the code still uses the deprecated CoreMessage type which was removed in version 6.0.0. This indicates the code is currently broken or will break when properly type-checked.

Breaking Change: CoreMessage type removed

• Where your code is affected:

  • lib/workflows/chat_workflow.ts (line 3, line 25): Imports and uses CoreMessage type

  • app/api/chat/route.ts (line 8, line 138, line 154, line 169): Imports and uses CoreMessage type for message arrays

  • app/api/web/chats/[chatId]/messages/route.ts (line 5, line 119, line 125): Imports and uses CoreMessage type

  • app/api/chat/group-ai-response/route.ts (line 5, line 73, line 103): Imports and uses CoreMessage type

• Impact: All files importing type CoreMessage from 'ai' will fail to compile because this type no longer exists in the ai package. The code is using a removed API that was deprecated in v5.0 and removed in v6.0.

• Remediation: Replace all instances of CoreMessage with ModelMessage and update the import statements from import { streamText, type CoreMessage } from 'ai' to import { streamText, type ModelMessage } from 'ai'. Update all variable declarations from CoreMessage[] to ModelMessage[].

Note: The socket.io-parser upgrade (4.2.4 => 4.2.6) has no impact on this codebase as no binary attachments are being sent through socket.io connections.

All breaking changes by upgrading socket.io-parser from version 4.2.4 to 4.2.6 (CHANGELOG)

Version	Description
4.2.6	Added a limit to the number of binary attachments, which restricts previously unlimited attachment behavior

All breaking changes by upgrading ai from version 5.0.115 to 6.0.84 (CHANGELOG)

Version	Description
6.0.0	Experimental_Agent class replaced with ToolLoopAgent class; system parameter renamed to instructions; default stopWhen changed from stepCountIs(1) to stepCountIs(20)
6.0.0	CoreMessage type and convertToCoreMessages function removed; must use ModelMessage type and convertToModelMessages function instead
6.0.0	convertToModelMessages() is now async and requires await
6.0.0	Tool.toModelOutput() now receives a parameter object with an output property instead of receiving the output directly as the argument
6.0.0	cachedInputTokens and reasoningTokens in LanguageModelUsage deprecated; replaced with inputTokenDetails.cacheReadTokens and outputTokenDetails.reasoningTokens
6.0.0	ToolCallOptions type renamed to ToolExecutionOptions
6.0.0	Tool strict mode now controlled per-tool via strict property instead of global strictJsonSchema in providerOptions
6.0.0	ToolCallRepairFunction signature changed: system parameter now accepts SystemModelMessage in addition to string
6.0.0	textEmbeddingModel and textEmbedding methods renamed to embeddingModel and embedding; generics removed from EmbeddingModel, embed, and embedMany
6.0.0	Separate warning types consolidated into single Warning type
6.0.0	Finish reason "unknown" removed and merged into "other"
6.0.0	isToolUIPart renamed to isStaticToolUIPart; isToolOrDynamicToolUIPart renamed to isToolUIPart
6.0.0	getToolName renamed to getStaticToolName; getToolOrDynamicToolName renamed to getToolName
6.0.0	OpenAI strictJsonSchema now defaults to true instead of false
6.0.0	OpenAI structuredOutputs provider option removed from chat models
6.0.0	Azure default provider azure() now uses Responses API by default instead of Chat Completions API; use azure.chat() for previous behavior
6.0.0	Azure Responses API now uses azure key for providerMetadata and providerOptions instead of openai
6.0.0	Google Vertex provider now uses vertex key for providerMetadata and providerOptions instead of google
6.0.0	V2 mock classes removed from ai/test module; must use V3 mock classes instead
6.0.0	Generics removed from EmbeddingModelV3
6.0.0	chat.addToolResult() renamed to chat.addToolOutput()
6.0.0	MCP imports moved from ai and ai/mcp-stdio to @ai-sdk/mcp and @ai-sdk/mcp/mcp-stdio packages

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33151	HIGH	[socket.io-parser] A specially crafted Socket.IO packet can cause the server to buffer a large number of binary attachments, leading to memory exhaustion and denial of service.
GHSA-h25m-26qc-wcjf	HIGH	[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage, out-of-memory exceptions, or server crashes, resulting in denial of service.
CVE-2026-29057	MEDIUM	[next] HTTP request smuggling vulnerability in Next.js rewrites with chunked DELETE/OPTIONS requests allows attackers to bypass route restrictions and access unintended backend endpoints. An attacker could smuggle malicious requests to internal or admin routes through request boundary disagreement between proxy and backend.
CVE-2025-59471	LOW	[next] A denial of service vulnerability in the Image Optimizer endpoint allows attackers to exhaust server memory by requesting optimization of arbitrarily large images when remotePatterns is configured. This causes out-of-memory conditions and application unavailability.
AIKIDO-2026-10095	LOW	[next] Multiple incomplete DoS mitigations in React Server Components allow specially crafted HTTP requests to Server Function endpoints to trigger server crashes, out-of-memory conditions, or excessive CPU usage. Applications not using React Server Components or server-side React functionality are unaffected.
CVE-2026-27980	LOW	[next] The default image optimization disk cache in Next.js lacks an upper bound, allowing attackers to exhaust disk space by generating many unique image variants, causing denial of service. This is fixed by implementing an LRU-backed cache with a configurable maximum size limit and automatic eviction of least-recently-used entries.
CVE-2026-25639	HIGH	[axios] The mergeConfig function crashes with a TypeError when processing configuration objects containing proto as an own property, allowing attackers to trigger denial of service. An attacker can exploit this by providing a malicious configuration object created via JSON.parse().
AIKIDO-2026-10269	LOW	[ai] An unbounded download vulnerability allows adversaries to exhaust system resources through large or uncontrolled downloads, causing denial-of-service by crashing or hanging applications. The SDK lacks proper size limits on downloads, leading to excessive memory or CPU consumption.

🔗 Related Tasks

• https://linear.app/a1base-ai/issue/A1B-1010