Unrated severityOSV Advisory· Published Jan 7, 2026· Updated Jan 8, 2026
axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak
CVE-2026-21697
Description
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global defaultClient is mutated during request execution without synchronization, directly modifying the shared http.Client's Transport, Timeout, and CheckRedirect properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842mitrex_refsource_MISC
- github.com/rezmoss/axios4go/releases/tag/v0.6.4mitrex_refsource_MISC
- github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.