— npm
MAL-2026-2307 · GHSA-fw8c-xr5c-95f9 Malicious code in axios (npm)
Modified: 4/7/2026
package
npm / axios
pkg:npm/axios
HIGH 8.7 npm
GHSA-35jp-ww65-95wh · CVE-2026-44494 axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Modified: 6/1/2026
HIGH 7.0 npm
GHSA-3g43-6gmg-66jw · CVE-2026-44495 axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Modified: 6/8/2026
MEDIUM 4.8 npm
GHSA-3p68-rc4w-qgx5 · CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Modified: 5/8/2026
MEDIUM 6.5 npm
GHSA-3w6x-2g7m-8v23 · CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
Modified: 5/6/2026
HIGH 7.5 npm
GHSA-42xw-2xvc-qx8m · CVE-2019-10742 Denial of Service in axios
Modified: 11/8/2023
HIGH 7.5 npm
GHSA-43fc-jf86-j433 · CVE-2026-25639 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
Modified: 5/8/2026
MEDIUM 5.3 npm
GHSA-445q-vr5w-6q77 · CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Modified: 5/6/2026
HIGH 7.5 npm
GHSA-4hjh-wcwx-xvwj · CVE-2025-58754 Axios is vulnerable to DoS attack through lack of data size check
Modified: 2/4/2026
MEDIUM 5.9 npm
GHSA-4w2v-q235-vp99 · CVE-2020-28168 Axios vulnerable to Server-Side Request Forgery
Modified: 11/8/2023
MEDIUM 5.3 npm
GHSA-5c9x-8gcm-mpgx · CVE-2026-42034 Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
Modified: 5/6/2026
HIGH 7.5 npm
GHSA-62hf-57xw-28j9 · CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Modified: 6/8/2026
LOW 3.7 npm
GHSA-654m-c8p4-x5fp · CVE-2026-44489 Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
Modified: 6/1/2026
HIGH 7.4 npm
GHSA-6chq-wfr3-2hj9 · CVE-2026-42035 Axios: Header Injection via Prototype Pollution
Modified: 5/6/2026
HIGH 7.5 npm
GHSA-777c-7fjr-54vf · CVE-2026-44488 Allocation of Resources Without Limits or Throttling in Axios
Modified: 6/4/2026
MEDIUM 4.8 npm
GHSA-898c-q2cr-xwhg · CVE-2026-44490 axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
Modified: 6/1/2026
HIGH npm
GHSA-8hc4-vh64-cxmj · CVE-2024-39338 Server-Side Request Forgery in axios
Modified: 2/4/2026
HIGH 7.5 npm
GHSA-cph5-m8f7-6c5x · CVE-2021-3749 axios Inefficient Regular Expression Complexity vulnerability
Modified: 11/8/2023
MEDIUM 4.8 npm
GHSA-fvcv-3m26-pcqx · CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Modified: 5/20/2026
HIGH 7.5 npm
GHSA-hfxv-24rg-xrqf · CVE-2026-44496 Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Modified: 6/4/2026
HIGH 7.5 npm
GHSA-j5f8-grm9-p9fc · CVE-2026-44486 Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Modified: 6/4/2026
HIGH npm
GHSA-jr5f-v2jv-69x6 · CVE-2025-27152 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Modified: 2/4/2026
MEDIUM 6.8 npm
GHSA-m7pr-hjqh-92cm · CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF
Modified: 5/6/2026
HIGH npm
GHSA-p92q-9vqr-4j8v · CVE-2026-44487 Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Modified: 6/4/2026
HIGH 7.4 npm
GHSA-pf86-5x62-jrwf · CVE-2026-42033 Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Modified: 5/6/2026
HIGH 8.6 npm
GHSA-pjwm-pj3p-43mv · CVE-2026-44492 axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Modified: 6/1/2026
HIGH 7.2 npm
GHSA-pmwg-cvhr-8vh7 · CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Modified: 5/6/2026
HIGH 7.4 npm
GHSA-q8qp-cvcw-x6jj · CVE-2026-42264 Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
Modified: 5/12/2026
MEDIUM 5.9 npm
GHSA-qj83-cq47-w5f8 · CVE-2026-39865 Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Modified: 5/5/2026
MEDIUM 5.3 npm
GHSA-vf2m-468p-8v99 · CVE-2026-42036 Axios: HTTP adapter streamed responses bypass maxContentLength
Modified: 5/6/2026
MEDIUM 4.8 npm
GHSA-w9j2-pvgh-6h63 · CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
Modified: 5/6/2026
MEDIUM 6.5 npm
GHSA-wf5p-g6vw-rhxx · CVE-2023-45857 Axios Cross-Site Request Forgery Vulnerability
Modified: 2/4/2026
LOW 3.7 npm
GHSA-xhjh-pmcv-23jw · CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
Modified: 5/6/2026
MEDIUM 5.4 npm
GHSA-xx6v-rp6x-q39c · CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
Modified: 5/6/2026