pkg:npm/axios

All known vulnerabilities

• HIGH8.7CVE-2026-44494axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
  >= 1.0.0, < 1.16.0
• HIGH8.6CVE-2026-44492axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
  >= 1.0.0, < 1.16.0
• HIGH7.5CVE-2026-42039Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
  >= 1.0.0, < 1.15.1
• HIGH7.5CVE-2026-25639Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
  >= 1.0.0, < 1.13.5
• HIGH7.5CVE-2025-58754Axios is vulnerable to DoS attack through lack of data size check
  >= 1.0.0, < 1.12.0
• HIGH7.5CVE-2025-54371Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
  >= 1.10.0, < 1.11.0
• HIGH7.5CVE-2024-39338Server-Side Request Forgery in axios
  >= 1.3.2, < 1.7.4
• HIGH7.5CVE-2021-3749axios Inefficient Regular Expression Complexity vulnerability
  from 0, < 0.21.2
• HIGH7.5CVE-2019-10742Denial of Service in axios
  from 0, < 0.18.1
• HIGH7.4CVE-2026-42033Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
  >= 1.0.0, < 1.15.1
• HIGH7.4CVE-2026-42035Axios: Header Injection via Prototype Pollution
  >= 1.0.0, < 1.15.1
• HIGH7.4CVE-2026-42264Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
  >= 1.0.0, < 1.15.2
• HIGH7.2CVE-2026-42043Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
  >= 1.0.0, < 1.15.1
• HIGH7.0CVE-2026-44495axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
  >= 1.0.0, < 1.15.2
• MEDIUM6.8CVE-2026-42038Axios: no_proxy bypass via IP alias allows SSRF
  >= 1.0.0, < 1.15.1
• MEDIUM6.5CVE-2026-42044Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
  >= 1.0.0, < 1.15.2
• MEDIUM6.5CVE-2023-45857Axios Cross-Site Request Forgery Vulnerability
  >= 1.0.0, < 1.6.0
• MEDIUM5.9CVE-2026-39865Axios HTTP/2 Session Cleanup State Corruption Vulnerability
  >= 1.13.0, < 1.13.2
• MEDIUM5.9CVE-2020-28168Axios vulnerable to Server-Side Request Forgery
  from 0, < 0.21.1
• MEDIUM5.4CVE-2026-42042Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
  >= 1.0.0, < 1.15.1
• MEDIUM5.3CVE-2026-42037Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
  >= 1.0.0, < 1.15.1
• MEDIUM5.3CVE-2026-42034Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
  >= 1.0.0, < 1.15.1
• MEDIUM5.3CVE-2026-42036Axios: HTTP adapter streamed responses bypass maxContentLength
  >= 1.0.0, < 1.15.1
• MEDIUM5.3CVE-2025-27152axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  >= 1.0.0, < 1.8.2
• MEDIUM4.8CVE-2026-44490axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
  >= 1.0.0, < 1.16.0
• MEDIUM4.8CVE-2026-42041Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
  >= 1.0.0, < 1.15.1
• MEDIUM4.8CVE-2026-40175Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
  >= 1.0.0, < 1.15.0
• MEDIUM4.8CVE-2025-62718Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
  >= 1.0.0, < 1.15.0
• LOW3.7CVE-2026-44489Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
  >= 1.15.2, < 1.16.0
• LOW3.7CVE-2026-42040Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
  >= 1.0.0, < 1.15.1