Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🌐

axios

Promise-based HTTP client for browser and Node.js security research

HTTP Client
Current tracked 0.22.0
Fixed 1.6.0+
Affected 0.8.1 - 1.5.1; additional advisories affect later vulnerable ranges

Axios is a promise-based HTTP client for browsers and Node.js. It is widely used to perform API requests, configure headers, process JSON payloads, handle redirects, manage timeouts, and integrate frontend or backend services with external APIs. Its security relevance comes from its position at the boundary between application logic, user-controlled URLs, authentication state, browser cookies, and backend request handling.

Category HTTP Client
Ecosystem npm / JavaScript
Common usage API clients, frontend requests, backend service integrations, authentication flows, redirects, headers, JSON payloads, and HTTP automation.
Risk model High-risk dependency when used across authentication boundaries, SSRF-sensitive backend flows, browser credentialed requests, redirects, custom headers, URL construction, or untrusted configuration merging.
•••
Why it is widely used
Simple API compared to lower-level HTTP handling.
Works across browser and Node.js environments.
Supports interceptors for request and response flows.
Handles JSON, headers, timeout and request configuration cleanly.
Risk score 88
Known issues 10
Exploit maturity Public advisories, reproducible local PoCs, and active exploitation relevance
•••
Vulnerability burndown
May 2025 Jun 2025
Critical High Medium
•••
MTTR critical severity
14 days
No data
•••
Library risk age
373 days
100% lower than last month
•••
Total vulnerabilities
10 Vulnerabilities
Critical 1 High 4 Medium 5 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Cross-site Request Forgery axios@0.22.0 HTTP client New May 28, 2025 7 days CSRF
High Regular Expression Denial of Service axios@0.22.0 Regex New May 16, 2025 20 days ReDoS
High Prototype Pollution (mergeConfig) axios <0.31.1 Config handling New Jun 2025 30 days Prototype Pollution
High Uncontrolled Recursion (toFormData) Validated PoC axios <0.31.1 Serializer / multipart form-data conversion Published 2025-06-01 Upgrade to 0.31.1 DoS
High HTTP Response Splitting via Headers Validated PoC axios <0.31.0 Headers / CRLF propagation Published 2025-06-01 Upgrade to 0.31.0 Header Injection
Medium XSRF Token Leakage via Config Manipulation Validated PoC axios <0.31.1 HTTP headers / XSRF token propagation Published 2025-06-01 Upgrade to 0.31.1 Data Leak
Medium Bypass of maxContentLength (large response) Validated PoC axios <0.31.1 HTTP adapter / stream response handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Bypass of maxBodyLength (upload) Validated PoC axios <0.31.1 HTTP adapter / streamed upload handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Improper Encoding (NUL byte injection) Validated PoC axios <0.31.1 URL params / AxiosURLSearchParams serialization Published 2025-06-01 Upgrade to 0.31.1 Encoding
Medium Server-side Request Forgery (SSRF) Validated PoC axios <0.30.0 Request handling / user-controlled URL fetching Published 2025-05-01 Upgrade to 0.30.0 SSRF
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

AXIOS-RN-2026-001

HTTP/2 Session Cache Fragmentation via Non-Canonical Option Equivalence

Behavioral analysis of transport option structural equality causing HTTP/2 session pool fragmentation under dynamically generated semantically equivalent configurations.

Observed Low Confirmed
Research identified that Axios HTTP/2 session reuse logic relies on structural equality of http2Options rather than transport semantic equivalence. Dynamically generated option objects containing irrelevant undefined-valued keys can fragment the session cache, resulting in unnecessary HTTP/2 session creation and degraded pooling efficiency. The Axios maintainers reviewed and classified the behavior as intended API usage rather than a security advisory candidate.
Surface HTTP/2 Transport Session Pooling
Primitive Session Cache Fragmentation
Tested versions Axios repository state (May 2026)
Observed behavior

When requests target the same authority but supply dynamically varying http2Options objects containing irrelevant undefined-valued keys, Axios allocates distinct HTTP/2 sessions rather than reusing existing pooled sessions. This produces linear session growth, increased socket handle count, and elevated memory consumption under repeated request execution.

Security implication

No confidentiality, integrity, or isolation boundary violation was observed. No cross-session leakage, authority confusion, memory corruption, authentication bypass, or remote code execution primitive was identified. The behavior is best classified as an operational resource-efficiency caveat relevant to application-layer transport configuration normalization.

Mitigation

Applications deriving http2Options dynamically should normalize transport configuration objects prior to Axios invocation. Implement deterministic allowlisting, canonical ordering, and elimination of semantically irrelevant undefined-valued properties before request dispatch. Multi-tenant transport wrappers should avoid exposing raw low-level HTTP/2 transport options directly to untrusted request context.

Observed before mitigation 
[CONTROL] i=250 rss=53MB heap=13MB handles=3
Active sessions: 1
Observed after mitigation 
[FRAGMENTED] i=250 rss=68MB heap=17MB handles=254
Active sessions: ~300
View PoC code 
const client = axios.create({
  baseURL: "http://localhost:3002",
  httpVersion: 2,
  http2Options: {
    sessionTimeout: 30000,
    ["irrelevant_" + i]: undefined
  }
});

for (let i = 0; i < 300; i++) {
  await client.get("/");
}
View mitigation code 
const stableClient = axios.create({
  baseURL: "http://localhost:3002",
  httpVersion: 2,
  http2Options: {
    sessionTimeout: 30000
  }
});
View FRES detection heuristic 
Flag runtime patterns where semantically equivalent transport configuration objects are reconstructed per request with varying shape but identical transport semantics.
Behavioral Analysis 2026-05-28
1 2 3
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.