Prototype Pollutionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Prototype Pollution when the Object.prototype has been polluted via a different exploit. The following properties in the HTTP adapter configuration may be manipulated, as they do not restrict their own property accesses with hasOwnProperty. An attacker can inject Authorization headers into the auth property, redirect external requests via the baseURL property or internal requests via the socketPath property, execute callbacks contained in HTTP redirects via the beforeRedirect property, or enable insecure HTTP parsing via the insecureHTTPParser property.
How to fix Prototype Pollution? Upgrade org.webjars.npm:axios to version 1.15.2 or higher.
| |
Server-side Request Forgery (SSRF)org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the AxiosHeaders normalization path and shouldBypassProxy helper. An attacker can smuggle CRLF and other control characters into request header values by supplying crafted header input, causing injected header fields to be sent on outbound requests and potentially altering how downstream servers interpret the request; in proxy configurations, a request to localhost, 127.0.0.1, or ::1 can be routed differently depending on the no_proxy entry, allowing loopback traffic to bypass the intended proxy handling.
How to fix Server-side Request Forgery (SSRF)? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Incomplete List of Disallowed Inputsorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isLoopback host check in the proxy helper, which relied on a static list of LOOPBACK_ADDRESSES. An attacker can route requests around an intended proxy by supplying loopback-style destinations such as 127.x.x.x, ::1, or IPv4-mapped IPv6 loopback addresses in a URL. This lets traffic to local services escape proxy controls, exposing internal endpoints and allowing requests to reach services the user expected to be mediated by a proxy.
Note: This vulnerability is the result of an incomplete fix for CVE-2025-62718
How to fix Incomplete List of Disallowed Inputs? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Improper Encoding or Escaping of Outputorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the encode function in AxiosURLSearchParams. An attacker can smuggle a NUL byte into serialized query strings by supplying crafted parameter values, causing downstream parsers or backend components to misinterpret the request and potentially truncate or alter parameter handling.
Notes: Standard axios request flow (buildURL) uses its own encode function, which does NOT have this bug. Only triggered via direct AxiosURLSearchParams.toString() without an encoder, or via custom paramsSerializer delegation
How to fix Improper Encoding or Escaping of Output? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
HTTP Response Splittingorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a prototype-polluted object that is mistaken for FormData, causing getHeaders() output to be merged into an outgoing request.
This lets attacker-controlled values, such as authorization or custom headers, ride along with requests made by applications that pass untrusted objects into Axios, exposing credentials or altering server-side request handling.
Notes
- The gadget only matters when the request body is a non-
FormData payload that Axios still routes through the Node HTTP adapter’s form-data detection path; browser-side usage is not implicated by this code path.
- The advisory’s prototype-pollution prerequisite can come from any dependency in the application’s tree, not necessarily from Axios itself, so a separate merge/parser bug elsewhere can be enough to trigger the header injection.
How to fix HTTP Response Splitting? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Allocation of Resources Without Limits or Throttlingorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipe(req) upload path in the HTTP adapter. An attacker can send a streamed request body larger than the configured maxBodyLength while maxRedirects is 0, causing the client to transmit the oversized payload to the server instead of stopping at the limit. This lets a remote peer force excessive bandwidth and request processing on applications that rely on maxBodyLength to cap upload size, potentially exhausting resources and disrupting service.
How to fix Allocation of Resources Without Limits or Throttling? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Allocation of Resources Without Limits or Throttlingorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the HTTP response handling path in the http.js adapter. An attacker can force a client to accept and process a response body larger than maxContentLength by sending a streamed response with an oversized payload. This allows a remote server to bypass the configured response-size limit, causing the application to read and buffer more data than intended, potentially exhausting memory or stalling request processing.
How to fix Allocation of Resources Without Limits or Throttling? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Insertion of Sensitive Information Into Sent Dataorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the request configuration handling in the adapters/xhr.js adapter and helpers/resolveConfig.js. An attacker can force the withXSRFToken option to a truthy non-boolean value, or pollute Object.prototype.withXSRFToken, by supplying a crafted request config that causes the XSRF header to be sent on cross-origin requests. When withXSRFToken is treated as a generic truthy value, the same-origin check is bypassed, and the browser reads the XSRF cookie and attaches it to an attacker-controlled destination. This exposes the user's XSRF token to a cross-origin endpoint, potentially enabling request forgery against the victim's authenticated session.
How to fix Insertion of Sensitive Information Into Sent Data? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
CRLF Injectionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to CRLF Injection through the FormDataPart multipart header construction in the form-data streaming helper. An attacker can inject arbitrary multipart headers by supplying a Blob-like value whose type contains \r or \n, causing the generated Content-Type line to break and append attacker-controlled header fields. This lets a crafted upload alter the multipart body sent by the application, which can corrupt downstream request parsing and expose or tamper with data handled by the receiving server.
How to fix CRLF Injection? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Prototype Pollutionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Prototype Pollution through the mergeConfig code path in the request configuration handling. An attacker can influence request behavior by supplying a crafted config object with inherited properties such as transport, env, formSerializer, or transform callbacks on Object.prototype, causing Axios to use attacker-controlled settings during request dispatch and form serialization. This can redirect requests, alter serialization and response handling, and break application logic that relies on trusted per-request configuration.
How to fix Prototype Pollution? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Improperly Controlled Modification of Dynamically-Determined Object Attributesorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the transformResponse and request serialization paths in the defaults configuration. An attacker can influence JSON parsing and request handling by supplying a crafted object with inherited parseReviver, responseType, transitional, env, or formSerializer properties, causing Axios to read attacker-controlled prototype values during response parsing or form encoding. This can lead to malformed response processing, unexpected parser behavior, and application-level data corruption or denial-of-service in code that passes untrusted config objects to Axios.
How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade org.webjars.npm:axios to version 1.15.2 or higher.
| |
Uncontrolled Recursionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Uncontrolled Recursion through the toFormData recursive serializer in lib/helpers/toFormData.js. An attacker can crash a process by supplying a deeply nested object as request data or params, causing unbounded recursion and a call-stack overflow during multipart/form-data or query-string serialization.
How to fix Uncontrolled Recursion? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
Prototype Pollutionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Prototype Pollution via the mergeDirectKeys function in mergeConfig. An attacker can force a request configuration to inherit attacker-controlled properties by supplying a polluted Object.prototype, causing Axios to read inherited values, such as validateStatus, during config merging.
This lets a malicious page or library alter how responses are handled, including making 4xx and 5xx responses be treated as successful and bypassing normal error handling in applications that rely on Axios defaults.
How to fix Prototype Pollution? Upgrade org.webjars.npm:axios to version 1.15.1 or higher.
| |
