#VU115167 Allocation of Resources Without Limits or Throttling in axios - CVE-2025-58754


Vulnerability identifier: #VU115167

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-58754

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
axios
Web applications / Modules and components for CMS

Vendor: axios

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits within data: URL decode. A remote attacker can cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

axios: 1.0.0 - 1.11.0

External links
https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Automation Decision Services
Multiple vulnerabilities in IBM Guardium Data Security Center
IBM Edge Data Collector update for axios
IBM Spectrum Control update for Axios
Multiple vulnerabilities in IBM API Connect
Multiple vulnerabilities in IBM Decision Optimization for Cloud Pak for Data
Multiple vulnerabilities in Netcool Operations Insight
IBM Voice Gateway update for Axios
IBM PowerVC update for Axios
Allocation of resources without limits or throttling in IBM Security SOAR