Unrated severityOSV Advisory· Published Jan 7, 2026· Updated Jan 8, 2026
axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak
CVE-2026-21697
Description
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global defaultClient is mutated during request execution without synchronization, directly modifying the shared http.Client's Transport, Timeout, and CheckRedirect properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842mitrex_refsource_MISC
- github.com/rezmoss/axios4go/releases/tag/v0.6.4mitrex_refsource_MISC
- github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.