HIGH8.7CVE-2026-44494axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` >= 1.0.0, < 1.16.0
HIGH8.6CVE-2026-44492axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) >= 1.0.0, < 1.16.0
HIGH7.5CVE-2026-44496Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection >= 1.0.0, < 1.16.0
HIGH7.5Allocation of Resources Without Limits or Throttling in Axios
>= 1.7.0, < 1.16.0
HIGH7.5Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
>= 1.0.0, < 1.16.0
HIGH7.5Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
>= 1.0.0, < 1.16.0
HIGH7.5Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
>= 1.0.0, < 1.15.1
HIGH7.5Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
>= 1.0.0, < 1.13.5
HIGH7.5Axios is vulnerable to DoS attack through lack of data size check
>= 1.0.0, < 1.12.0
HIGH7.5Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
>= 1.10.0, < 1.11.0
HIGH7.5Server-Side Request Forgery in axios
>= 1.3.2, < 1.7.4
HIGH7.5axios Inefficient Regular Expression Complexity vulnerability
from 0, < 0.21.2
HIGH7.5Denial of Service in axios
from 0, < 0.18.1
HIGH7.4Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
>= 1.0.0, < 1.15.1
HIGH7.4Axios: Header Injection via Prototype Pollution
>= 1.0.0, < 1.15.1
HIGH7.4Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
>= 1.0.0, < 1.15.2
HIGH7.2Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
>= 1.0.0, < 1.15.1
HIGH7.0axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
>= 1.0.0, < 1.15.2
MEDIUM6.8Axios: no_proxy bypass via IP alias allows SSRF
>= 1.0.0, < 1.15.1
MEDIUM6.5Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
>= 1.0.0, < 1.15.2
MEDIUM6.5Axios Cross-Site Request Forgery Vulnerability
>= 1.0.0, < 1.6.0
MEDIUM5.9Axios HTTP/2 Session Cleanup State Corruption Vulnerability
>= 1.13.0, < 1.13.2
MEDIUM5.9Axios vulnerable to Server-Side Request Forgery
from 0, < 0.21.1
MEDIUM5.4Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
>= 1.0.0, < 1.15.1
MEDIUM5.3Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
>= 1.0.0, < 1.15.1
MEDIUM5.3Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
>= 1.0.0, < 1.15.1
MEDIUM5.3Axios: HTTP adapter streamed responses bypass maxContentLength
>= 1.0.0, < 1.15.1
MEDIUM5.3axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
>= 1.0.0, < 1.8.2
MEDIUM4.8axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
>= 1.0.0, < 1.16.0
MEDIUM4.8Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
>= 1.0.0, < 1.15.1
MEDIUM4.8Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
>= 1.0.0, < 1.15.0
MEDIUM4.8Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
>= 1.0.0, < 1.15.0
LOW3.7Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
>= 1.15.2, < 1.16.0
LOW3.7Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
>= 1.0.0, < 1.15.1