35 Total advisories
34 Vulnerabilities
1 Malware
Malware Advisories
Vulnerabilities
LOW 3.7
CVE-2026-44489
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
MEDIUM 4.8
CVE-2026-44490
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
HIGH 7.0
CVE-2026-44495
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
HIGH 8.7
CVE-2026-44494
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
UNKNOWN
CVE-2026-44487
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
HIGH 7.5
CVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
HIGH 7.5
CVE-2026-44488
Allocation of Resources Without Limits or Throttling in Axios
HIGH 7.5
CVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
HIGH 7.5
CVE-2026-42039
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
HIGH 8.6
CVE-2026-44492
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
MEDIUM 4.8
CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
HIGH 7.4
CVE-2026-42264
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
HIGH 7.5
CVE-2026-25639
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
MEDIUM 4.8
CVE-2025-62718
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
MEDIUM 4.8
CVE-2026-42041
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
MEDIUM 6.8
CVE-2026-42038
Axios: no_proxy bypass via IP alias allows SSRF
MEDIUM 5.3
CVE-2026-42036
Axios: HTTP adapter streamed responses bypass maxContentLength
MEDIUM 5.4
CVE-2026-42042
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
MEDIUM 6.5
CVE-2026-42044
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
MEDIUM 5.3
CVE-2026-42037
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
MEDIUM 5.3
CVE-2026-42034
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
HIGH 7.4
CVE-2026-42035
Axios: Header Injection via Prototype Pollution
HIGH 7.4
CVE-2026-42033
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
LOW 3.7
CVE-2026-42040
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
HIGH 7.2
CVE-2026-42043
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
MEDIUM 5.9
CVE-2026-39865
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
HIGH 7.5
CVE-2025-54371
Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
UNKNOWN
CVE-2024-39338
Server-Side Request Forgery in axios
UNKNOWN
CVE-2025-27152
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
HIGH 7.5
CVE-2025-58754
Axios is vulnerable to DoS attack through lack of data size check
MEDIUM 6.5
CVE-2023-45857
Axios Cross-Site Request Forgery Vulnerability
HIGH 7.5
CVE-2021-3749
axios Inefficient Regular Expression Complexity vulnerability
MEDIUM 5.9
CVE-2020-28168
Axios vulnerable to Server-Side Request Forgery
HIGH 7.5
CVE-2019-10742
Denial of Service in axios
Ready to move
Start Securing
Free, no credit card | First findings in minutes