npm vulnerability intelligence

axios NPM Package
Vulnerability Check

Promise based HTTP client for the browser and node.js

High severity MIT v1.18.0

Vulnerability Analysis OSV Live

axios

v1.18.0 · MIT · 120,325,703 dl/wk

Advisory Breakdown

Critical 0

High 17

Moderate 14

Low 2

Severity Rating

High severity

34 advisories

High severity

Weekly downloads

120,325,703

Total advisories

34

Latest version

1.18.0

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

34

GHSA-35jp-ww65-95wh CVE-2026-44494 high

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Affected: >=1.0.0 <1.16.0 Fixed in: 1.16.0 Updated Jun 12, 2026

GHSA-3g43-6gmg-66jw CVE-2026-44495 high

axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Affected: >=1.0.0 <1.15.2, >=0.19.0 <0.31.1 Fixed in: 1.15.2, 0.31.1 Updated Jun 12, 2026

GHSA-3p68-rc4w-qgx5 CVE-2025-62718 moderate

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Affected: >=1.0.0 <1.15.0, >=0 <0.31.0 Fixed in: 1.15.0, 0.31.0 Updated May 8, 2026

GHSA-3w6x-2g7m-8v23 CVE-2026-42044 moderate

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Affected: >=1.0.0 <1.15.2 Fixed in: 1.15.2 Updated May 6, 2026

GHSA-42xw-2xvc-qx8m CVE-2019-10742 high

Denial of Service in axios

Affected: >=0 <0.18.1 Fixed in: 0.18.1 Updated Nov 8, 2023

GHSA-43fc-jf86-j433 CVE-2026-25639 high

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Affected: >=1.0.0 <1.13.5, >=0 <0.30.3 Fixed in: 1.13.5, 0.30.3 Updated May 8, 2026

GHSA-445q-vr5w-6q77 CVE-2026-42037 moderate

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Affected: >=1.0.0 <1.15.1 Fixed in: 1.15.1 Updated May 6, 2026

GHSA-4hjh-wcwx-xvwj CVE-2025-58754 high

Axios is vulnerable to DoS attack through lack of data size check

Affected: >=1.0.0 <1.12.0, >=0.28.0 <0.30.2 Fixed in: 1.12.0, 0.30.2 Updated Feb 4, 2026

GHSA-4w2v-q235-vp99 CVE-2020-28168 moderate

Axios vulnerable to Server-Side Request Forgery

Affected: >=0 <0.21.1 Fixed in: 0.21.1 Updated Nov 8, 2023

GHSA-5c9x-8gcm-mpgx CVE-2026-42034 moderate

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-62hf-57xw-28j9 CVE-2026-42039 moderate

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated Jun 8, 2026

GHSA-654m-c8p4-x5fp CVE-2026-44489 low

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Affected: >=1.15.2 <1.16.0 Fixed in: 1.16.0 Updated Jun 12, 2026

GHSA-6chq-wfr3-2hj9 CVE-2026-42035 high

Axios: Header Injection via Prototype Pollution

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-777c-7fjr-54vf CVE-2026-44488 high

Allocation of Resources Without Limits or Throttling in Axios

Affected: >=1.7.0 <1.16.0 Fixed in: 1.16.0 Updated Jun 12, 2026

GHSA-898c-q2cr-xwhg CVE-2026-44490 moderate

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

Affected: >=1.0.0 <1.16.0, >=0 <0.32.0 Fixed in: 1.16.0, 0.32.0 Updated Jun 12, 2026

GHSA-8hc4-vh64-cxmj CVE-2024-39338 high

Server-Side Request Forgery in axios

Affected: >=1.3.2 <1.7.4 Fixed in: 1.7.4 Updated Feb 4, 2026

GHSA-cph5-m8f7-6c5x CVE-2021-3749 high

axios Inefficient Regular Expression Complexity vulnerability

Affected: >=0 <0.21.2 Fixed in: 0.21.2 Updated Nov 8, 2023

GHSA-fvcv-3m26-pcqx CVE-2026-40175 moderate

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Affected: >=1.0.0 <1.15.0, >=0 <0.31.0 Fixed in: 1.15.0, 0.31.0 Updated May 20, 2026

GHSA-hfxv-24rg-xrqf CVE-2026-44496 high

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Affected: >=1.0.0 <1.16.0, >=0 <0.32.0 Fixed in: 1.16.0, 0.32.0 Updated Jun 10, 2026

GHSA-j5f8-grm9-p9fc CVE-2026-44486 high

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Affected: >=1.0.0 <1.16.0, >=0 <0.32.0 Fixed in: 1.16.0, 0.32.0 Updated Jun 12, 2026

GHSA-jr5f-v2jv-69x6 CVE-2025-27152 high

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Affected: >=1.0.0 <1.8.2, >=0 <0.30.0 Fixed in: 1.8.2, 0.30.0 Updated Feb 4, 2026

GHSA-m7pr-hjqh-92cm CVE-2026-42038 moderate

Axios: no_proxy bypass via IP alias allows SSRF

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-p92q-9vqr-4j8v CVE-2026-44487 high

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Affected: >=1.0.0 <1.16.0, >=0 <0.32.0 Fixed in: 1.16.0, 0.32.0 Updated Jun 12, 2026

GHSA-pf86-5x62-jrwf CVE-2026-42033 high

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-pjwm-pj3p-43mv CVE-2026-44492 high

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Affected: >=1.0.0 <1.16.0, >=0 <0.32.0 Fixed in: 1.16.0, 0.32.0 Updated Jun 1, 2026

GHSA-pmwg-cvhr-8vh7 CVE-2026-42043 high

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-q8qp-cvcw-x6jj CVE-2026-42264 high

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

Affected: >=1.0.0 <1.15.2 Fixed in: 1.15.2 Updated May 12, 2026

GHSA-qj83-cq47-w5f8 CVE-2026-39865 moderate

Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Affected: >=1.13.0 <1.13.2 Fixed in: 1.13.2 Updated May 5, 2026

GHSA-vf2m-468p-8v99 CVE-2026-42036 moderate

Axios: HTTP adapter streamed responses bypass maxContentLength

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-w9j2-pvgh-6h63 CVE-2026-42041 moderate

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-wf5p-g6vw-rhxx CVE-2023-45857 moderate

Axios Cross-Site Request Forgery Vulnerability

Affected: >=1.0.0 <1.6.0, >=0.8.1 <0.28.0 Fixed in: 1.6.0, 0.28.0 Updated Feb 4, 2026

GHSA-xhjh-pmcv-23jw CVE-2026-42040 low

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

GHSA-xx6v-rp6x-q39c CVE-2026-42042 moderate

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Affected: >=1.0.0 <1.15.1, >=0 <0.31.1 Fixed in: 1.15.1, 0.31.1 Updated May 6, 2026

MAL-2026-2307 GHSA-fw8c-xr5c-95f9 unknown

Malicious code in axios (npm)

Updated Apr 7, 2026

Checked Jun 15, 2026, 11:25 AM from npm and OSV.dev

Package metadata

From the npm registry

Package name: axios
Ecosystem: npm
Latest version: 1.18.0
License: MIT
Weekly downloads: 120,325,703
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

Login attempts

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/15/2026, 11:25:06 AM