VYPR

Axios

by Axios

npm: axios

Source repositories

CVEs (33)

  • CVE-2026-42034MedApr 24, 2026
    risk 0.27cvss 5.3epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller…

  • CVE-2026-44490MedJun 11, 2026
    risk 0.24cvss 4.8epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios…

  • CVE-2026-42041MedApr 24, 2026
    risk 0.24cvss 4.8epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.),…

  • CVE-2026-40175MedApr 10, 2026
    risk 0.24cvss 4.8epss 0.02

    Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound…

  • CVE-2026-44489LowJun 11, 2026
    risk 0.17cvss 3.7epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at…

  • CVE-2026-42040LowApr 24, 2026
    risk 0.17cvss 3.7epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After…

  • CVE-2025-58754Sep 12, 2025
    risk 0.00cvss epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire…

  • CVE-2025-27152Mar 7, 2025
    risk 0.00cvss epss 0.01

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential…

  • CVE-2024-57965Jan 29, 2025
    risk 0.00cvss epss 0.00

    In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not…

  • CVE-2024-39338Aug 9, 2024
    risk 0.00cvss epss 0.01

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2023-45857Nov 8, 2023
    risk 0.00cvss epss 0.01

    An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

  • CVE-2021-3749Aug 31, 2021
    risk 0.00cvss epss 0.09

    axios is vulnerable to Inefficient Regular Expression Complexity

  • CVE-2019-10742May 7, 2019
    risk 0.00cvss epss 0.06

    Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Page 2 of 2