VYPR
Unrated severityOSV Advisory· Published Jan 7, 2026· Updated Jan 8, 2026

axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak

CVE-2026-21697

Description

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global defaultClient is mutated during request execution without synchronization, directly modifying the shared http.Client's Transport, Timeout, and CheckRedirect properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Rezmoss/Axios4goOSV2 versions
    v0.1.0, v0.2.0, v0.2.1, …+ 1 more
    • (no CPE)range: v0.1.0, v0.2.0, v0.2.1, …
    • (no CPE)range: <0.6.4

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.