Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🌐

axios

Promise-based HTTP client for browser and Node.js security research

HTTP Client
Current tracked 0.22.0
Fixed 1.6.0+
Affected 0.8.1 - 1.5.1; additional advisories affect later vulnerable ranges

Axios is a promise-based HTTP client for browsers and Node.js. It is widely used to perform API requests, configure headers, process JSON payloads, handle redirects, manage timeouts, and integrate frontend or backend services with external APIs. Its security relevance comes from its position at the boundary between application logic, user-controlled URLs, authentication state, browser cookies, and backend request handling.

Category HTTP Client
Ecosystem npm / JavaScript
Common usage API clients, frontend requests, backend service integrations, authentication flows, redirects, headers, JSON payloads, and HTTP automation.
Risk model High-risk dependency when used across authentication boundaries, SSRF-sensitive backend flows, browser credentialed requests, redirects, custom headers, URL construction, or untrusted configuration merging.
•••
Why it is widely used
Simple API compared to lower-level HTTP handling.
Works across browser and Node.js environments.
Supports interceptors for request and response flows.
Handles JSON, headers, timeout and request configuration cleanly.
Risk score 88
Known issues 10
Exploit maturity Public advisories, reproducible local PoCs, and active exploitation relevance
•••
Vulnerability burndown
May 2025 Jun 2025
Critical High Medium
•••
MTTR critical severity
14 days
No data
•••
Library risk age
373 days
100% lower than last month
•••
Total vulnerabilities
10 Vulnerabilities
Critical 1 High 4 Medium 5 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Cross-site Request Forgery axios@0.22.0 HTTP client New May 28, 2025 7 days CSRF
High Regular Expression Denial of Service axios@0.22.0 Regex New May 16, 2025 20 days ReDoS
High Prototype Pollution (mergeConfig) axios <0.31.1 Config handling New Jun 2025 30 days Prototype Pollution
High Uncontrolled Recursion (toFormData) Validated PoC axios <0.31.1 Serializer / multipart form-data conversion Published 2025-06-01 Upgrade to 0.31.1 DoS
High HTTP Response Splitting via Headers Validated PoC axios <0.31.0 Headers / CRLF propagation Published 2025-06-01 Upgrade to 0.31.0 Header Injection
Medium XSRF Token Leakage via Config Manipulation Validated PoC axios <0.31.1 HTTP headers / XSRF token propagation Published 2025-06-01 Upgrade to 0.31.1 Data Leak
Medium Bypass of maxContentLength (large response) Validated PoC axios <0.31.1 HTTP adapter / stream response handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Bypass of maxBodyLength (upload) Validated PoC axios <0.31.1 HTTP adapter / streamed upload handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Improper Encoding (NUL byte injection) Validated PoC axios <0.31.1 URL params / AxiosURLSearchParams serialization Published 2025-06-01 Upgrade to 0.31.1 Encoding
Medium Server-side Request Forgery (SSRF) Validated PoC axios <0.30.0 Request handling / user-controlled URL fetching Published 2025-05-01 Upgrade to 0.30.0 SSRF
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

RN-001

Multipart Header Authority in Axios

FormData-derived metadata can override explicitly supplied Authorization headers unless constrained by header policy.

Mitigated Medium Confirmed
FikreSekhel Intelligence analyzed multipart request construction behavior in Axios to evaluate how FormData metadata interacts with application-defined request headers.
Surface Multipart Request Construction
Primitive Header Authority Override
Tested versions axios@1.16.1
Observed behavior

By default, Axios accepted headers returned by FormData.getHeaders() and allowed those values to supersede an explicitly supplied Authorization header. The observed runtime request contained Authorization: Bearer attacker instead of the application-defined Authorization: Bearer legitimate.

Security implication

This behavior may become security-relevant when applications process multipart abstractions from untrusted wrappers, dynamically composed request pipelines, plugin systems, SDKs, middleware, or third-party integrations. The primary risk is header authority confusion rather than direct remote exploitation.

Mitigation

Setting formDataHeaderPolicy to content-only preserved application header authority and prevented arbitrary metadata such as Authorization and X-Evil from being propagated from FormData.getHeaders().

Observed before mitigation 
{
  "authorization": "Bearer attacker",
  "x-evil": "controlled",
  "content-type": "multipart/form-data"
}
Observed after mitigation 
{
  "authorization": "Bearer legitimate",
  "content-type": "multipart/form-data"
}
View PoC code 
import axios from "./index.js";
import FormData from "form-data";

const form = new FormData();
form.append("test", "hello");

const originalGetHeaders = form.getHeaders.bind(form);

form.getHeaders = function () {
  return {
    ...originalGetHeaders(),
    authorization: "Bearer attacker",
    "x-evil": "controlled"
  };
};

axios.post("http://localhost:3000", form, {
  headers: {
    authorization: "Bearer legitimate"
  },
  proxy: false
});
View mitigation code 
axios.post("http://localhost:3000", form, {
  headers: {
    authorization: "Bearer legitimate"
  },
  formDataHeaderPolicy: "content-only",
  proxy: false
});
View FRES detection heuristic 
Flag JavaScript projects using axios.post/put/patch with FormData and Authorization headers where formDataHeaderPolicy: "content-only" is missing. Increase confidence when getHeaders() is overridden, wrapped, monkey-patched, or exposed through custom upload abstractions.
Trust Boundary 2026-05-25
1 2 3
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.