Medium severity5.9NVD Advisory· Published Apr 8, 2026· Updated Apr 27, 2026
CVE-2026-39865
CVE-2026-39865
Description
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
axiosnpm | >= 1.13.0, < 1.13.2 | 1.13.2 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/kibana-7pkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/wolfi/kubeflow-centraldashboardpkg:npm/axios
< 7.17.29-r8+ 7 more
- (no CPE)range: < 7.17.29-r8
- (no CPE)range: < 1.10.0-r19
- (no CPE)range: < 2.95.12-r19
- (no CPE)range: < 2.95.12-r19
- (no CPE)range: < 2.95.12-r22
- (no CPE)range: < 2.95.12-r22
- (no CPE)range: < 1.10.0-r19
- (no CPE)range: >= 1.13.0, < 1.13.2
Patches
Vulnerability mechanics
References
5- github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-qj83-cq47-w5f8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39865ghsaADVISORY
- github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5nvdWEB
- github.com/axios/axios/releases/tag/v1.13.2nvdWEB
News mentions
0No linked articles in our index yet.