Vulnerability Intelligence
Public vulnerability intelligence, dependency exposure and research context for npm packages.
axios
Promise-based HTTP client for browser and Node.js
HTTP Client
Current tracked
0.22.0
Fixed
0.29.0 / 1.6.3
Affected
< 0.29.0
Axios is a promise-based HTTP client used to perform HTTP requests from both browser and Node.js environments. It simplifies API communication by automatically handling JSON data, headers, request configuration, interceptors, timeouts and request lifecycle management in a developer-friendly way.
Category
HTTP Client
Ecosystem
npm / JavaScript
Common usage
API requests, REST communication, HTTP integrations
Risk model
Input parsing, request transformation, header manipulation
Why it is widely used
Simple API compared to lower-level HTTP handling.
Works across browser and Node.js environments.
Supports interceptors for request and response flows.
Handles JSON, headers, timeout and request configuration cleanly.
Risk score
848
Known issues
18
Exploit maturity
PoC
Vulnerability burndown
Critical
High
Medium
MTTR critical severity
14 days
No data
Library risk age
340 days
100% lower than last month
Total vulnerabilities
10 Vulnerabilities
Critical 1
High 4
Medium 5
Low 0
| Severity | Vulnerability name | Library | Surface | Status | Published date | SLA | Tags | Actions |
|---|---|---|---|---|---|---|---|---|
| Critical | Cross-site Request Forgery | axios@0.22.0 | HTTP client | New | May 28, 2025 | 7 days | CSRF | |
| High | Regular Expression Denial of Service | axios@0.22.0 | Regex | New | May 16, 2025 | 20 days | ReDoS | |
| High | Prototype Pollution (mergeConfig) | axios <0.31.1 | Config handling | New | Jun 2025 | 30 days | Prototype Pollution | |
| High | Uncontrolled Recursion (toFormData) | axios <0.31.1 | Serializer | New | Jun 2025 | 30 days | DoS | |
| High | HTTP Response Splitting via Headers | axios <0.31.0 | Headers | New | Jun 2025 | 30 days | Header Injection | |
| Medium | Server-side Request Forgery (SSRF) | axios <0.30.0 | Request handling | New | May 2025 | 20 days | SSRF | |
| Medium | XSRF Token Leakage via Config Manipulation | axios <0.31.1 | HTTP headers | New | Jun 2025 | 30 days | Data Leak | |
| Medium | Bypass of maxContentLength (large response) | axios <0.31.1 | HTTP adapter | New | Jun 2025 | 30 days | DoS | |
| Medium | Bypass of maxBodyLength (upload) | axios <0.31.1 | HTTP adapter | New | Jun 2025 | 30 days | DoS | |
| Medium | Improper Encoding (NUL byte injection) | axios <0.31.1 | URL params | New | Jun 2025 | 30 days | Encoding |
Need private intelligence for your codebase?
Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.