When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even …
Vulnerability Type: Predictable Value / HTTP Parameter Pollution Risk: Critical (CVSS 9.4) Impacted Users: Any application using axios@1.10.0 to submit multipart form-data This could potentially allow attackers to: Interfere with multipart request parsing Inject unintended parameters Exploit backend deserialization logic depending on content boundaries
A critical vulnerability exists in the form-data package used by axios@1.10.0. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks. This was submitted in issue #6969 and addressed in pull request #6970.
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
This advisory has been invalidated due to the CVE being rejected.
axios is vulnerable to Inefficient Regular Expression Complexity
Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Axios allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.