SB2026070641 - Multiple vulnerabilities in axios



SB2026070641 - Multiple vulnerabilities in axios

Published: July 6, 2026

Security Bulletin ID SB2026070641
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 vulnerabilities.


1) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in formDataToJSON when parsing attacker-controlled FormData field names with deeply nested bracket segments. A remote attacker can send crafted FormData input to cause a denial of service.

The issue affects direct use of axios.formToJSON() and JSON serialization of FormData when the Content-Type contains application/json.


2) Uncontrolled Recursion (CVE-ID: N/A)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in formDataToJSON when processing attacker-controlled FormData field names during FormData-to-JSON conversion. A remote attacker can supply a crafted FormData field name with deeply nested bracket segments to cause a denial of service.

The vulnerable request-transform path is reached when FormData is sent with an application/json content type, and direct use of formToJSON() throws synchronously.


3) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery and disclose sensitive information.

The vulnerability exists due to improper input validation in shouldBypassProxy when handling requests to loopback-equivalent addresses. A remote attacker can supply a crafted URL using 0.0.0.0, ::, or ::ffff:0.0.0.0 to perform server-side request forgery and disclose sensitive information.

Exploitation requires an Axios client configured with a proxy and relying on NO_PROXY=localhost for loopback protection.


4) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to tamper with outbound requests.

The vulnerability exists due to improper control of object prototype attributes in Basic auth handling in lib/adapters/http.js and lib/helpers/resolveConfig.js when processing requests with an own auth object that omits username or password in a host process already affected by prototype pollution. A remote user can pollute Object.prototype.username and Object.prototype.password to tamper with outbound requests.

Exploitation requires a separate prototype-pollution primitive in the host process, and affects requests where config.auth is an own object but username and/or password are absent own properties.


5) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to tamper with outbound requests and disclose sensitive information.

The vulnerability exists due to improper control of object prototype attributes in params and paramsSerializer handling in lib/helpers/resolveConfig.js when building request URLs in a host process already affected by prototype pollution. A remote user can pollute Object.prototype.params or Object.prototype.paramsSerializer to tamper with outbound requests and disclose sensitive information.

Exploitation requires a separate prototype-pollution primitive in the host process. The advisory notes that attacker-controlled paramsSerializer functions are not achievable through JSON-only prototype pollution.


6) Permissive List of Allowed Inputs (CVE-ID: N/A)

CWE-ID: CWE-183 - Permissive List of Allowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery against local services through a configured proxy.

The vulnerability exists due to permissive list of allowed inputs in lib/helpers/shouldBypassProxy.js when evaluating NO_PROXY rules for requests to 0.0.0.0 in the Node.js HTTP adapter. A remote attacker can supply a crafted request URL or redirect target to perform server-side request forgery against local services through a configured proxy.

Exploitation requires axios to run in Node.js with environment proxy variables enabled, attacker-controlled input to influence the request URL or redirect target, and a proxy that can reach or relay 0.0.0.0 to local destinations.


7) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to alter request semantics.

The vulnerability exists due to improperly controlled modification of object prototype attributes in bodyless method aliases in lib/core/Axios.js when processing requests after Object.prototype has already been polluted. A remote user can pollute Object.prototype.data to alter request semantics.

Exploitation requires chaining with a separate prototype pollution condition in the same process.


8) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information or modify outbound traffic.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node HTTP adapter when processing plain config objects after Object.prototype has already been polluted. A remote user can pollute Object.prototype.proxy to disclose sensitive information or modify outbound traffic.

This affects direct low-level adapter usage with plain config objects that do not define their own proxy property.


9) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to control URL serialization and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of object prototype attributes in resolveConfig or browser-adapter helper paths when processing plain config objects after Object.prototype has already been polluted. A remote user can pollute Object.prototype.paramsSerializer to control URL serialization and disclose sensitive information.

This affects direct resolveConfig or browser-adapter helper usage with plain config objects that do not define their own paramsSerializer property.


10) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause resource consumption and exhaust upstream quotas or bandwidth.

The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing attacker-controlled unknown-length WHATWG ReadableStream request bodies. A remote attacker can supply a specially crafted streamed request body to cause resource consumption and exhaust upstream quotas or bandwidth.

Exploitation requires an application to use the fetch adapter, set a finite maxBodyLength value, and pass attacker-controlled stream data without a reliable Content-Length.


11) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause uncontrolled resource consumption.

The vulnerability exists due to uncontrolled resource consumption in the Node.js HTTP/2 upload handling in the HTTP adapter when processing attacker-controlled streamed request bodies with httpVersion: 2 and a finite maxBodyLength. A remote user can supply a specially crafted oversized stream to cause uncontrolled resource consumption.

Only the Node.js HTTP adapter is affected. Browser adapters are not affected, and buffered request bodies are checked before the request is sent.


12) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to tamper with outbound requests and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of object prototype attributes in nested axios request option objects when processing placeholder nested option objects in a JavaScript process with a polluted Object.prototype. A remote user can pollute inherited username, password, encode, or serialize properties to tamper with outbound requests and disclose sensitive information.

Exploitation requires a separate prototype-pollution primitive in the same process, and affected cases include auth or paramsSerializer objects that omit their own relevant properties.


13) Prototype pollution (CVE-ID: N/A)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node.js HTTP adapter request path when processing interceptor-returned regular object configs with a polluted Object.prototype.proxy. A remote user can trigger prototype pollution elsewhere in the process and cause affected HTTP requests to be routed through an attacker-controlled proxy to disclose sensitive information.

Exploitation requires Node.js HTTP adapter usage and a request interceptor that returns a plain object copy of the request configuration. The confirmed disclosure impact is limited to plaintext HTTP requests and can expose authorization headers, request metadata, and request body content.


14) Uncontrolled Recursion (CVE-ID: N/A)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in lib/helpers/toFormData.js when serializing an object with a top-level key ending in {} and a deeply nested object value. A remote attacker can supply crafted object keys and nested values to trigger a stack overflow and cause a denial of service.

The issue affects form and parameter serialization paths that delegate to toFormData, and the thrown error is a raw RangeError rather than the intended AxiosError depth-limit signal.


Remediation

Install update from vendor's website.