Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

axios — Vulnerabilities & Security Advisories 31

Browse all 31 CVE security advisories affecting axios. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Axios is a widely adopted HTTP client for JavaScript environments, primarily utilized in browser and Node.js applications to simplify asynchronous data fetching. Despite its popularity, the library has faced 21 recorded Common Vulnerabilities and Exposures (CVEs), predominantly stemming from improper input validation and prototype pollution issues. These flaws often enable remote code execution or cross-site scripting attacks when user-controlled data is passed directly into configuration objects without sanitization. Notably, several vulnerabilities allowed attackers to bypass security controls by manipulating internal headers or request parameters. While Axios itself does not store data, its widespread integration into frontend frameworks makes it a frequent target for supply chain attacks. Developers must ensure strict input validation and keep dependencies updated to mitigate risks associated with these historical security gaps, particularly in applications handling sensitive user information.

Found 30 results / 31Clear Filters
Top products by axios: axios axios/axios
CVE IDTitleCVSSSeverityPublished
CVE-2026-44486 Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection — axiosCWE-200 7.5 High2026-06-11
CVE-2026-44487 Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter — axiosCWE-201--2026-06-11
CVE-2026-44488 Axios: Allocation of Resources Without Limits or Throttling in axios — axiosCWE-770 7.5 High2026-06-11
CVE-2026-44490 Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions — axiosCWE-1321 4.8 Medium2026-06-11
CVE-2026-44496 Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection — axiosCWE-400 7.5 High2026-06-11
CVE-2026-44495 Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge — axiosCWE-94 7.0 High2026-06-11
CVE-2026-44494 Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` — axiosCWE-441 8.7 High2026-06-11
CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix — axiosCWE-113 3.7 Low2026-06-11
CVE-2026-44492 Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) — axiosCWE-918 8.6 High2026-06-11
CVE-2026-42264 Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking — axiosCWE-1321 7.4 High2026-05-08
CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion — axiosCWE-183 5.4 Medium2026-04-24
CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data — axiosCWE-674 7.5AIHighAI2026-04-24
CVE-2026-42036 Axios: HTTP adapter streamed responses bypass maxContentLength — axiosCWE-770 5.3 Medium2026-04-24
CVE-2026-42034 Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0 — axiosCWE-770 5.3 Medium2026-04-24
CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream — axiosCWE-93 5.3 Medium2026-04-24
CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF — axiosCWE-918 6.8 Medium2026-04-24
CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy — axiosCWE-287 4.8 Medium2026-04-24
CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 — axiosCWE-183 7.2 High2026-04-24
CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` — axiosCWE-915 6.5 Medium2026-04-24
CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams — axiosCWE-116 3.7 Low2026-04-24
CVE-2026-42035 Axios: Header Injection via Prototype Pollution — axiosCWE-113 7.4 High2026-04-24
CVE-2026-42033 Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking — axiosCWE-1321 7.4 High2026-04-24
CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — axiosCWE-113 4.8 Medium2026-04-10
CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF — axiosCWE-441 7.4AIHighAI2026-04-09
CVE-2026-39865 Axios HTTP/2 Session Cleanup State Corruption Vulnerability — axiosCWE-400 5.9 Medium2026-04-08
CVE-2026-25639 Axios affected by Denial of Service via __proto__ Key in mergeConfig — axiosCWE-754 7.5 High2026-02-09
CVE-2025-58754 Axios is vulnerable to DoS attack through lack of data size check — axiosCWE-770 7.5 High2025-09-12
CVE-2025-27152 Possible SSRF and Credential Leakage via Absolute URL in axios Requests — axiosCWE-918 10.0 -2025-03-07
CVE-2024-57965 Axios 安全漏洞 — axiosCWE-346--2025-01-29
CVE-2019-10742 Axios 输入验证错误漏洞 — axios 7.5 -2019-05-07

This page lists every published CVE security advisory associated with axios. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.