VYPR
High severityNVD Advisory· Published Sep 12, 2025· Updated Jan 16, 2026

Axios is vulnerable to DoS attack through lack of data size check

CVE-2025-58754

Description

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'. Versions 0.30.2 and 1.12.0 contain a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
axiosnpm
>= 1.0.0, < 1.12.01.12.0
axiosnpm
>= 0.28.0, < 0.30.20.30.2

Affected products

158

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.