Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🌐

axios

Promise-based HTTP client for browser and Node.js security research

HTTP Client
Current tracked 0.22.0
Fixed 1.6.0+
Affected 0.8.1 - 1.5.1; additional advisories affect later vulnerable ranges

Axios is a promise-based HTTP client for browsers and Node.js. It is widely used to perform API requests, configure headers, process JSON payloads, handle redirects, manage timeouts, and integrate frontend or backend services with external APIs. Its security relevance comes from its position at the boundary between application logic, user-controlled URLs, authentication state, browser cookies, and backend request handling.

Category HTTP Client
Ecosystem npm / JavaScript
Common usage API clients, frontend requests, backend service integrations, authentication flows, redirects, headers, JSON payloads, and HTTP automation.
Risk model High-risk dependency when used across authentication boundaries, SSRF-sensitive backend flows, browser credentialed requests, redirects, custom headers, URL construction, or untrusted configuration merging.
•••
Why it is widely used
Simple API compared to lower-level HTTP handling.
Works across browser and Node.js environments.
Supports interceptors for request and response flows.
Handles JSON, headers, timeout and request configuration cleanly.
Risk score 88
Known issues 10
Exploit maturity Public advisories, reproducible local PoCs, and active exploitation relevance
•••
Vulnerability burndown
May 2025 Jun 2025
Critical High Medium
•••
MTTR critical severity
14 days
No data
•••
Library risk age
373 days
100% lower than last month
•••
Total vulnerabilities
10 Vulnerabilities
Critical 1 High 4 Medium 5 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Cross-site Request Forgery axios@0.22.0 HTTP client New May 28, 2025 7 days CSRF
High Regular Expression Denial of Service axios@0.22.0 Regex New May 16, 2025 20 days ReDoS
High Prototype Pollution (mergeConfig) axios <0.31.1 Config handling New Jun 2025 30 days Prototype Pollution
High Uncontrolled Recursion (toFormData) Validated PoC axios <0.31.1 Serializer / multipart form-data conversion Published 2025-06-01 Upgrade to 0.31.1 DoS
High HTTP Response Splitting via Headers Validated PoC axios <0.31.0 Headers / CRLF propagation Published 2025-06-01 Upgrade to 0.31.0 Header Injection
Medium XSRF Token Leakage via Config Manipulation Validated PoC axios <0.31.1 HTTP headers / XSRF token propagation Published 2025-06-01 Upgrade to 0.31.1 Data Leak
Medium Bypass of maxContentLength (large response) Validated PoC axios <0.31.1 HTTP adapter / stream response handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Bypass of maxBodyLength (upload) Validated PoC axios <0.31.1 HTTP adapter / streamed upload handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Improper Encoding (NUL byte injection) Validated PoC axios <0.31.1 URL params / AxiosURLSearchParams serialization Published 2025-06-01 Upgrade to 0.31.1 Encoding
Medium Server-side Request Forgery (SSRF) Validated PoC axios <0.30.0 Request handling / user-controlled URL fetching Published 2025-05-01 Upgrade to 0.30.0 SSRF
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

FS-AXIOS-REDIRECT-001

Cross-Origin Redirect Custom Header Leakage

Custom credential propagation across outbound trust-boundary transitions

Validated High Confirmed
Runtime validation confirmed that Axios redirect processing may preserve application-defined custom sensitive headers during cross-origin redirect chains even when standard Authorization headers are stripped.
Surface Redirect Processing
Primitive Custom Header Credential Propagation
Tested versions 1.8.1
Observed behavior

FikreSekhel runtime instrumentation demonstrated that a trusted Axios client initiated a request toward an expected internal origin, received a redirect response, and automatically followed the redirect to a different origin while preserving X-API-Key header material. Authorization was removed, but custom credential propagation persisted across origin transition.

Security implication

Applications relying exclusively on Authorization stripping during redirect handling may still leak service credentials encoded in custom headers. This creates credential exposure risk in webhook processors, API gateways, redirect-capable integrations, metadata retrieval services and multi-tenant backend routing flows.

Mitigation

Disable automatic redirects when unnecessary, sanitize redirect destinations explicitly, and strip all custom credential-bearing headers using beforeRedirect hooks. Treat redirect traversal as an explicit outbound trust-boundary transition.

Observed before mitigation 
Initial trusted request included Authorization and X-API-Key toward internal destination.
Observed after mitigation 
Redirected cross-origin request removed Authorization but preserved X-API-Key toward untrusted destination.
View FRES detection heuristic 
Flag outbound clients where reusable credential-bearing instances permit redirect traversal across trust zones.
Behavioral Analysis 2026-05-25
1 2 3
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.