Medium severity5.9NVD Advisory· Published Apr 8, 2026· Updated Apr 27, 2026

CVE-2026-39865

Description

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
axiosnpm	>= 1.13.0, < 1.13.2	1.13.2

Affected products

Axios/Axios
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Range: >=1.0.0,<1.13.2

Patches

0588880ac7dd

fix(http): use default export for http2 module to support stubs; (#7196)

https://github.com/axios/axiosKasper Isager DalsgarðOct 29, 2025via ghsa

commit

1 file changed · +9 −9

lib/adapters/http.js+9 −9 modified

@@ -1,11 +1,11 @@
-import { connect, constants } from 'http2';
 import utils from './../utils.js';
 import settle from './../core/settle.js';
 import buildFullPath from '../core/buildFullPath.js';
 import buildURL from './../helpers/buildURL.js';
 import proxyFromEnv from 'proxy-from-env';
 import http from 'http';
 import https from 'https';
+import http2 from 'http2';
 import util from 'util';
 import followRedirects from 'follow-redirects';
 import zlib from 'zlib';
@@ -36,13 +36,6 @@ const brotliOptions = {
   finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH
 }
 
-const {
-  HTTP2_HEADER_SCHEME,
-  HTTP2_HEADER_METHOD,
-  HTTP2_HEADER_PATH,
-  HTTP2_HEADER_STATUS
-} = constants;
-
 const isBrotliSupported = utils.isFunction(zlib.createBrotliDecompress);
 
 const {http: httpFollow, https: httpsFollow} = followRedirects;
@@ -85,7 +78,7 @@ class Http2Sessions {
       }
     }
 
-    const session = connect(authority, options);
+    const session = http2.connect(authority, options);
 
     let removed;
 
@@ -276,6 +269,13 @@ const http2Transport = {
 
       const session = http2Sessions.getSession(authority, http2Options);
 
+      const {
+        HTTP2_HEADER_SCHEME,
+        HTTP2_HEADER_METHOD,
+        HTTP2_HEADER_PATH,
+        HTTP2_HEADER_STATUS
+      } = http2.constants;
+
       const http2Headers = {
         [HTTP2_HEADER_SCHEME]: options.protocol.replace(':', ''),
         [HTTP2_HEADER_METHOD]: options.method,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-qj83-cq47-w5f8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39865ghsaADVISORY
github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5nvdWEB
github.com/axios/axios/releases/tag/v1.13.2nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000