axios 0.3.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the axios package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `data:` URL handler. An attacker can trigger a denial of service by crafting a `data:` URL with an excessive payload, causing allocation of memory for content decoding before verifying content size limits. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `axios` to version 1.12.0 or higher.	<1.12.0
M Server-side Request Forgery (SSRF) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to not setting `allowAbsoluteUrls` to `false` by default when processing a requested URL in `buildFullPath()`. It may not be obvious that this value is being used with the less safe default, and URLs that are expected to be blocked may be accepted. This is a bypass of the fix for the vulnerability described in CVE-2025-27152. How to fix Server-side Request Forgery (SSRF)? Upgrade `axios` to version 0.30.0, 1.8.3 or higher.	<0.30.0>=1.0.0 <1.8.3
M Server-side Request Forgery (SSRF) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the `allowAbsoluteUrls` attribute being ignored in the call to the `buildFullPath` function from the HTTP adapter. An attacker could launch SSRF attacks or exfiltrate sensitive data by tricking applications into sending requests to malicious endpoints. How to fix Server-side Request Forgery (SSRF)? Upgrade `axios` to version 0.30.0, 1.8.2 or higher.	<0.30.0>=1.0.0 <1.8.2
M Regular Expression Denial of Service (ReDoS) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of `O(n^2)`. This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `axios` to version 0.29.0, 1.6.3 or higher.	<0.29.0>=1.0.0 <1.6.3
H Regular Expression Denial of Service (ReDoS) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `trim` function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `axios` to version 0.21.3 or higher.	<0.21.3
M Server-Side Request Forgery (SSRF) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. How to fix Server-Side Request Forgery (SSRF)? Upgrade `axios` to version 0.21.1 or higher.	<0.21.1
M Denial of Service (DoS) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Denial of Service (DoS) due to content continuing to be accepted from requests after `maxContentLength` is exceeded. How to fix Denial of Service (DoS)? Upgrade `axios` to version 0.18.1 or higher.	<0.18.1

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling