| CVE-2026-42043 |
critical |
10.0 |
10.0 |
|
|
|
1mo ago |
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 |
| CVE-2025-62718 |
critical |
9.9 |
9.9 |
|
|
|
2mo ago |
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback… |
| CVE-2026-42264 |
critical |
9.1 |
9.1 |
|
|
|
27d ago |
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking |
| CVE-2026-42044 |
critical |
9.1 |
9.1 |
|
|
|
1mo ago |
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` |
| CVE-2026-42039 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data |
| CVE-2026-42038 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
Axios: no_proxy bypass via IP alias allows SSRF |
| CVE-2026-25639 |
high |
7.5 |
7.5 |
|
|
|
4mo ago |
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig |
| CVE-2026-42035 |
high |
7.4 |
7.4 |
|
|
|
1mo ago |
Axios: Header Injection via Prototype Pollution |
| CVE-2026-42033 |
high |
7.4 |
7.4 |
|
|
|
1mo ago |
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking |
| CVE-2026-42041 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy |
| CVE-2026-42042 |
medium |
5.4 |
5.4 |
|
|
|
1mo ago |
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion |
| CVE-2026-42037 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream |
| CVE-2026-42036 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios: HTTP adapter streamed responses bypass maxContentLength |
| CVE-2026-42034 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 |
| CVE-2026-40175 |
medium |
4.8 |
4.8 |
|
|
|
2mo ago |
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain |
| CVE-2026-42040 |
low |
3.7 |
3.7 |
|
|
|
1mo ago |
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
| CVE-2026-44495 |
unknown |
— |
— |
|
|
|
5d ago |
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge |
| CVE-2026-44494 |
unknown |
— |
— |
|
|
|
5d ago |
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` |
| CVE-2026-44492 |
unknown |
— |
— |
|
|
|
5d ago |
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) |
| CVE-2026-44490 |
unknown |
— |
— |
|
|
|
5d ago |
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions |
| CVE-2026-44489 |
unknown |
— |
— |
|
|
|
5d ago |
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix |
| CVE-2026-39865 |
unknown |
— |
— |
|
|
|
2mo ago |
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a mali… |
| CVE-2025-58754 |
unknown |
— |
— |
|
|
|
9mo ago |
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` sch… |
| CVE-2025-54371 |
unknown |
— |
— |
|
|
|
11mo ago |
Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data |
| CVE-2025-27152 |
unknown |
— |
— |
|
|
|
1y ago |
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the req… |
| CVE-2024-39338 |
unknown |
— |
— |
|
|
|
2y ago |
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. |
| CVE-2023-45857 |
unknown |
— |
— |
|
|
|
3y ago |
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing atta… |
| CVE-2021-3749 |
unknown |
— |
— |
|
|
|
5y ago |
axios is vulnerable to Inefficient Regular Expression Complexity |
| CVE-2020-28168 |
unknown |
— |
— |
|
|
|
6y ago |
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host … |
| CVE-2019-10742 |
unknown |
— |
— |
|
|
|
7y ago |
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded. |
