VYPR
advisoryPublished Jun 4, 2026· 1 source

Axios: Four High-Severity Vulnerabilities Disclosed Together on June 4th

Key findings • Four high-severity vulnerabilities in Axios disclosed simultaneously on June 4th, 2026. • ReDoS vulnerability (CVE-2026-44496) due to unescaped cookie names in regex. • Res…

Key findings

  • Four high-severity vulnerabilities in Axios disclosed simultaneously on June 4th, 2026.
  • ReDoS vulnerability (CVE-2026-44496) due to unescaped cookie names in regex.
  • Resource exhaustion possible via unthrottled allocations with the fetch adapter (CVE-2026-44488).
  • Two CVEs (CVE-2026-44487, CVE-2026-44486) detail proxy credential leaks during redirects in Node.js.
  • Specific version ranges are affected; users should update Axios.

On June 4th, 2026, a batch of four high-severity vulnerabilities was disclosed for the popular JavaScript HTTP client library, Axios. These issues, all disclosed within a ten-minute window, highlight potential security risks in how Axios handles cookies, manages resource allocation, and processes proxy credentials.

One of the disclosed vulnerabilities, CVE-2026-44496, is a Regular Expression Denial of Service (ReDoS) flaw. This occurs when Axios builds a regular expression from a configured XSRF cookie name without properly escaping regex metacharacters. In environments where an attacker can influence the cookie name, this can lead to expensive regular expression evaluations, potentially causing denial of service.

Another significant vulnerability, CVE-2026-44488, relates to the allocation of resources without proper limits or throttling. Specifically, versions 1.7.0 through 1.15.x failed to enforce configured request and response size limits when using the fetch adapter. This could allow applications to receive or send bodies exceeding intended maximum sizes, leading to resource exhaustion.

Two related vulnerabilities, CVE-2026-44487 and CVE-2026-44486, both concern the leakage of Proxy-Authorization headers in Axios's Node.js HTTP adapter. These flaws can occur when a request is initially sent through an authenticated HTTP proxy, and Axios subsequently follows a redirect. In certain redirect flows, particularly when the redirected request is no longer routed through the proxy, the Proxy-Authorization header can be forwarded to the redirect target or the origin server, potentially exposing credentials.

These vulnerabilities affect specific versions of Axios. For CVE-2026-44496, versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line are impacted. CVE-2026-44488 affects versions 1.7.0 through 1.15.x. The proxy-related vulnerabilities, CVE-2026-44487 and CVE-2026-44486, impact the Node.js HTTP adapter in affected versions. Users are advised to consult the official Axios advisories for precise version information and recommended upgrade paths.

The coordinated disclosure of these four high-severity issues underscores the importance of keeping the Axios library updated. Developers relying on Axios, particularly those handling sensitive data or operating in environments with untrusted input, should prioritize patching their applications to mitigate these risks.

Synthesized by Vypr AI