axios@0.3.1

Promise based HTTP client for the browser and node.js

  • latest version

    1.18.1

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    12 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the axios package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insertion of Sensitive Information Into Sent Data

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain proxy credentials by inducing a redirect from an HTTP request sent through an authenticated proxy to an HTTPS endpoint where no proxy applies, causing the proxy credentials to be forwarded to the final origin.

    Note:

    This is only exploitable if the application is running in Node.js with the HTTP adapter, an initial HTTP request uses an authenticated proxy, redirects are enabled, the redirect target does not use a proxy, and the redirect shape is not stripped by confidential-header handling.

    How to fix Insertion of Sensitive Information Into Sent Data?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • H
    Insertion of Sensitive Information Into Sent Data

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect target and causing the application to follow a redirect from a proxied request to a direct connection, resulting in the Proxy-Authorization header being sent to the attacker's server.

    Note:

    This is only exploitable if the application is running in Node.js with automatic redirects enabled and uses an authenticated proxy configuration, where the redirect target resolves to a direct connection (such as when HTTPS_PROXY is unset or excluded by NO_PROXY).

    How to fix Insertion of Sensitive Information Into Sent Data?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • M
    Regular Expression Denial of Service (ReDoS)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the read function when attacker-controlled input is used as the cookie name parameter, which is interpolated into a regular expression without proper escaping. An attacker can cause excessive CPU consumption and freeze the browser tab by supplying specially crafted input that triggers catastrophic backtracking in the regex engine.

    Note:

    This is only exploitable if attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • M
    Prototype Pollution

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Prototype Pollution via polluted Object.prototype properties in the merge process. An attacker can inject arbitrary HTTP headers into outbound requests or cause synchronous application crashes by manipulating upstream dependencies to pollute prototype attributes, leading to header injection or denial of service conditions.

    How to fix Prototype Pollution?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • H
    Prototype Pollution

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Prototype Pollution through the config.proxy property in the HTTP adapter, which accesses properties via the prototype chain. An attacker can intercept and modify all HTTP requests and responses, including sensitive authentication credentials, by polluting the Object.prototype with a malicious proxy object. This allows the attacker to route all HTTP traffic through a proxy server under their control, enabling full visibility and manipulation of data in transit.

    How to fix Prototype Pollution?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • H
    Server-side Request Forgery (SSRF)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the shouldBypassProxy function. An attacker can access internal or metadata endpoints by crafting request URLs in IPv4-mapped IPv6 notation, bypassing proxy exclusions. This can result in exposure of sensitive information, such as credentials, especially in cloud environments where instance metadata services are present.

    Note: This is only exploitable if the attacker can control the request URL and the application is configured with NO_PROXY to exclude internal or metadata endpoints while using an HTTP/HTTPS proxy.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade axios to version 0.32.0, 1.16.0 or higher.

    <0.32.0>=1.0.0 <1.16.0
    • M
    Prototype Pollution

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Prototype Pollution via the mergeDirectKeys function in mergeConfig. An attacker can force a request configuration to inherit attacker-controlled properties by supplying a polluted Object.prototype, causing Axios to read inherited values, such as validateStatus, during config merging. This lets a malicious page or library alter how responses are handled, including making 4xx and 5xx responses be treated as successful and bypassing normal error handling in applications that rely on Axios defaults.

    How to fix Prototype Pollution?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • H
    Uncontrolled Recursion

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Uncontrolled Recursion through the toFormData recursive serializer in lib/helpers/toFormData.js. An attacker can crash a process by supplying a deeply nested object as request data or params, causing unbounded recursion and a call-stack overflow during multipart/form-data or query-string serialization.

    How to fix Uncontrolled Recursion?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • C
    Prototype Pollution

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Prototype Pollution through the mergeConfig code path in the request configuration handling. An attacker can influence request behavior by supplying a crafted config object with inherited properties such as transport, env, formSerializer, or transform callbacks on Object.prototype, causing Axios to use attacker-controlled settings during request dispatch and form serialization. This can redirect requests, alter serialization and response handling, and break application logic that relies on trusted per-request configuration.

    How to fix Prototype Pollution?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • M
    Insertion of Sensitive Information Into Sent Data

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the request configuration handling in the adapters/xhr.js adapter and helpers/resolveConfig.js‎. An attacker can force the withXSRFToken option to a truthy non-boolean value, or pollute Object.prototype.withXSRFToken, by supplying a crafted request config that causes the XSRF header to be sent on cross-origin requests. When withXSRFToken is treated as a generic truthy value, the same-origin check is bypassed, and the browser reads the XSRF cookie and attaches it to an attacker-controlled destination. This exposes the user's XSRF token to a cross-origin endpoint, potentially enabling request forgery against the victim's authenticated session.

    How to fix Insertion of Sensitive Information Into Sent Data?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • M
    Allocation of Resources Without Limits or Throttling

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the HTTP response handling path in the http.js adapter. An attacker can force a client to accept and process a response body larger than maxContentLength by sending a streamed response with an oversized payload. This allows a remote server to bypass the configured response-size limit, causing the application to read and buffer more data than intended, potentially exhausting memory or stalling request processing.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • M
    Allocation of Resources Without Limits or Throttling

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipe(req) upload path in the HTTP adapter. An attacker can send a streamed request body larger than the configured maxBodyLength while maxRedirects is 0, causing the client to transmit the oversized payload to the server instead of stopping at the limit. This lets a remote peer force excessive bandwidth and request processing on applications that rely on maxBodyLength to cap upload size, potentially exhausting resources and disrupting service.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • M
    Server-side Request Forgery (SSRF)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the AxiosHeaders normalization path and shouldBypassProxy helper. An attacker can smuggle CRLF and other control characters into request header values by supplying crafted header input, causing injected header fields to be sent on outbound requests and potentially altering how downstream servers interpret the request; in proxy configurations, a request to localhost, 127.0.0.1, or ::1 can be routed differently depending on the no_proxy entry, allowing loopback traffic to bypass the intended proxy handling.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • C
    HTTP Response Splitting

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a prototype-polluted object that is mistaken for FormData, causing getHeaders() output to be merged into an outgoing request. This lets attacker-controlled values, such as authorization or custom headers, ride along with requests made by applications that pass untrusted objects into Axios, exposing credentials or altering server-side request handling.

    Notes

    • The gadget only matters when the request body is a non-FormData payload that Axios still routes through the Node HTTP adapter’s form-data detection path; browser-side usage is not implicated by this code path.
    • The advisory’s prototype-pollution prerequisite can come from any dependency in the application’s tree, not necessarily from Axios itself, so a separate merge/parser bug elsewhere can be enough to trigger the header injection.

    How to fix HTTP Response Splitting?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • M
    Improper Encoding or Escaping of Output

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the encode function in AxiosURLSearchParams. An attacker can smuggle a NUL byte into serialized query strings by supplying crafted parameter values, causing downstream parsers or backend components to misinterpret the request and potentially truncate or alter parameter handling.

    Notes: Standard axios request flow (buildURL) uses its own encode function, which does NOT have this bug. Only triggered via direct AxiosURLSearchParams.toString() without an encoder, or via custom paramsSerializer delegation

    How to fix Improper Encoding or Escaping of Output?

    Upgrade axios to version 0.31.1, 1.15.1 or higher.

    <0.31.1>=1.0.0 <1.15.1
    • H
    HTTP Response Splitting

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary headers by supplying a header value containing \r\n, which Axios merges into an outbound request. Under specific conditions, this can be used to exfiltrate cloud metadata tokens, pivot into internal services, or poison downstream HTTP traffic.

    Notes

    • Exploitation requires prior successful prototype pollution in a third-party dependency, enabling attacker-controlled header data to flow into Axios via configuration merging or AxiosHeaders.set(...).
    • IMDSv2 token exfiltration (described in the original vulnerability report as another step in the exploit chain following the smuggling of a PUT request) further depends on the application running in an AWS environment with instance metadata access enabled, and on the Axios process having network access to the metadata endpoint.
    • A possible but uncommon vector mentioned in the maintainers' advisory relies on the use of a non standard Axios transport mechanism, e.g. a custom adapter, to bypass Node.js header validation, thereby permitting malformed or injected header values to be transmitted without rejection. In most cases, this vector is blocked by Node.JS's built in header validation.

    How to fix HTTP Response Splitting?

    Upgrade axios to version 0.31.0, 1.15.0 or higher.

    <0.31.0>=1.0.0 <1.15.0
    • M
    Unintended Proxy or Intermediary ('Confused Deputy')

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via improper hostname normalization in the NO_PROXY environment variable. An attacker controlling request URLs can access internal or loopback services by crafting requests (with a trailing dot or [::1]) that bypass proxy restrictions, causing sensitive requests to be routed through an unintended proxy.

    Note:

    This is only exploitable if the application relies on NO_PROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access.

    How to fix Unintended Proxy or Intermediary ('Confused Deputy')?

    Upgrade axios to version 0.31.0, 1.15.0 or higher.

    <0.31.0>=1.0.0 <1.15.0
    • H
    Prototype Pollution

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing a __proto__ property, typically by leveraging JSON.parse().

    How to fix Prototype Pollution?

    Upgrade axios to version 0.30.3, 1.13.5 or higher.

    <0.30.3>=1.0.0-alpha.1 <1.13.5
    • M
    Allocation of Resources Without Limits or Throttling

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the data: URL handler. An attacker can trigger a denial of service by crafting a data: URL with an excessive payload, causing allocation of memory for content decoding before verifying content size limits.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade axios to version 0.30.0, 1.12.0 or higher.

    <0.30.0>=1.0.0-alpha.1 <1.12.0
    • M
    Server-side Request Forgery (SSRF)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath(). It may not be obvious that this value is being used with the less safe default, and URLs that are expected to be blocked may be accepted. This is a bypass of the fix for the vulnerability described in CVE-2025-27152.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade axios to version 0.30.0, 1.8.3 or higher.

    <0.30.0>=1.0.0 <1.8.3
    • M
    Server-side Request Forgery (SSRF)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. An attacker could launch SSRF attacks or exfiltrate sensitive data by tricking applications into sending requests to malicious endpoints.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade axios to version 0.30.0, 1.8.2 or higher.

    <0.30.0>=1.0.0 <1.8.2
    • M
    Regular Expression Denial of Service (ReDoS)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of O(n^2). This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade axios to version 0.29.0, 1.6.3 or higher.

    <0.29.0>=1.0.0-alpha.1 <1.6.3
    • H
    Regular Expression Denial of Service (ReDoS)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim function.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade axios to version 0.21.3 or higher.

    <0.21.3
    • M
    Server-Side Request Forgery (SSRF)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

    How to fix Server-Side Request Forgery (SSRF)?

    Upgrade axios to version 0.21.1 or higher.

    <0.21.1
    • M
    Denial of Service (DoS)

    axios is a promise-based HTTP client for the browser and Node.js.

    Affected versions of this package are vulnerable to Denial of Service (DoS) due to content continuing to be accepted from requests after maxContentLength is exceeded.

    How to fix Denial of Service (DoS)?

    Upgrade axios to version 0.18.1 or higher.

    <0.18.1