npm package
axios
pkg:npm/axios
2 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- MAL-2026-2307Malicious code in axios (npm)Mar 31, 2026
- GHSA-fw8c-xr5c-95f9Malware in axiosMar 31, 2026
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58754 | — | >= 1.0.0, < 1.12.0 | 1.12.0 | Sep 12, 2025 | Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire | ||
| CVE-2025-27152 | — | >= 1.0.0, < 1.8.2 | 1.8.2 | Mar 7, 2025 | axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka | ||
| CVE-2024-39338 | — | >= 1.3.2, < 1.7.4 | 1.7.4 | Aug 9, 2024 | axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. | ||
| CVE-2023-45857 | — | >= 1.0.0, < 1.6.0 | 1.6.0 | Nov 8, 2023 | An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. | ||
| CVE-2021-3749 | — | < 0.21.2 | 0.21.2 | Aug 31, 2021 | axios is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2020-28168 | — | < 0.21.1 | 0.21.1 | Nov 6, 2020 | Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. | ||
| CVE-2019-10742 | — | < 0.18.1 | 0.18.1 | May 7, 2019 | Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded. |
- CVE-2025-58754Sep 12, 2025affected >= 1.0.0, < 1.12.0fixed 1.12.0
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire
- CVE-2025-27152Mar 7, 2025affected >= 1.0.0, < 1.8.2fixed 1.8.2
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka
- CVE-2024-39338Aug 9, 2024affected >= 1.3.2, < 1.7.4fixed 1.7.4
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
- CVE-2023-45857Nov 8, 2023affected >= 1.0.0, < 1.6.0fixed 1.6.0
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
- CVE-2021-3749Aug 31, 2021affected < 0.21.2fixed 0.21.2
axios is vulnerable to Inefficient Regular Expression Complexity
- CVE-2020-28168Nov 6, 2020affected < 0.21.1fixed 0.21.1
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
- CVE-2019-10742May 7, 2019affected < 0.18.1fixed 0.18.1
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Page 2 of 2