Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🌐

axios

Promise-based HTTP client for browser and Node.js security research

Current tracked
Current tracked 1.18.0
Fixed 1.18.0+
Affected <1.8.2; 1.13.0-1.13.1; <1.15.0; 1.15.0; <1.16.0; malicious: 1.14.1, 0.30.4

Axios is a widely used promise-based HTTP client for browsers and Node.js. It is commonly placed on authentication, API integration, redirect, proxy and service-to-service boundaries. Its current security relevance includes SSRF and credential leakage via URL resolution behavior, proxy and NO_PROXY bypasses, HTTP/2 denial-of-service conditions, header handling risks, and a confirmed 2026 npm supply-chain compromise involving malicious axios versions. Production usage should prefer axios 1.18.0 or later and explicitly block malicious versions 1.14.1 and 0.30.4.

Category HTTP Client
Ecosystem npm / JavaScript
Common usage API clients, frontend requests, backend integrations, authentication flows, redirects, headers, JSON payloads and HTTP automation.
Risk model High-risk dependency when used with SSRF-sensitive flows, proxy rules, redirects, custom headers, credentials or untrusted URL construction.
•••
Why it is widely used
Simple and consistent API compared to native HTTP implementations.
Works across browsers and Node.js with a unified programming model.
Provides built-in handling for JSON payloads, headers, redirects and timeouts.
Supports interceptors for authentication, logging, observability and request manipulation.
Frequently embedded in SDKs, cloud integrations, payment platforms and third-party connectors.
Commonly used in service-to-service architectures and distributed systems.
Acts as a trust-boundary component between user-controlled input and external services.
Frequently appears in SSRF-sensitive request flows and proxy-controlled environments.
Risk score 92
Known issues 17
Exploit maturity Public advisories, confirmed supply-chain compromise, reproducible PoCs and active operational relev
•••
Vulnerability burndown
Mar 2025 May 2026
Critical High Medium
•••
MTTR critical severity
7 days
No data
•••
Library risk age
277 days
92% lower than last month
•••
Total vulnerabilities
17 Vulnerabilities
Critical 2 High 7 Medium 8 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Cross-site Request Forgery axios@0.22.0 HTTP client New May 28, 2025 7 days CSRF
Critical Malicious npm Package Versions Delivered Cross-Platform RAT axios@1.14.1; axios@0.30.4 Supply chain / npm package publication Remediated 2026-03-31 Remove malicious versions; rotate credentials; rebuild from clean environment Supply Chain
High Regular Expression Denial of Service axios@0.22.0 Regex New May 16, 2025 20 days ReDoS
High Prototype Pollution (mergeConfig) axios <0.31.1 Config handling New Jun 2025 30 days Prototype Pollution
High NO_PROXY Bypass via IPv4-Mapped IPv6 Addresses axios >=1.0.0 <1.16.0; axios <=0.31.1 Proxy / NO_PROXY handling Published 2026-05-29 Upgrade to 1.16.0 or 0.32.0 SSRF
High Incomplete Fix for NO_PROXY Bypass via 127.0.0.0/8 Loopback Subnet axios 1.15.0 Proxy / NO_PROXY handling Published 2026-05-05 Upgrade beyond 1.15.0 SSRF
High Uncontrolled Recursion (toFormData) Validated PoC axios <0.31.1 Serializer / multipart form-data conversion Published 2025-06-01 Upgrade to 0.31.1 DoS
High HTTP Response Splitting via Headers Validated PoC axios <0.31.0 Headers / CRLF propagation Published 2025-06-01 Upgrade to 0.31.0 Header Injection
High SSRF and Credential Leakage via Absolute URL Override axios <1.8.2 Request URL resolution Published 2025-03-06 Upgrade to 1.8.2 SSRF
Medium NO_PROXY Hostname Normalization Bypass Leading to SSRF axios <1.15.0; axios <0.31.0 Proxy / NO_PROXY handling Published 2026-04-09 Upgrade to 1.15.0 or 0.31.0 SSRF
Medium Cloud Metadata Exfiltration via Header Injection Chain axios >=1.0.0 <1.15.0; axios <0.31.0 Headers / proxy / metadata service Published 2026-04-09 Upgrade to 1.15.0 or 0.31.0 Header Injection
Medium HTTP/2 Session Cleanup Denial of Service axios >=1.13.0 <1.13.2 HTTP/2 adapter Published 2026-04-08 Upgrade to 1.13.2 DoS
Medium XSRF Token Leakage via Config Manipulation Validated PoC axios <0.31.1 HTTP headers / XSRF token propagation Published 2025-06-01 Upgrade to 0.31.1 Data Leak
Medium Bypass of maxContentLength (large response) Validated PoC axios <0.31.1 HTTP adapter / stream response handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Bypass of maxBodyLength (upload) Validated PoC axios <0.31.1 HTTP adapter / streamed upload handling Published 2025-06-01 Upgrade to 0.31.1 DoS
Medium Improper Encoding (NUL byte injection) Validated PoC axios <0.31.1 URL params / AxiosURLSearchParams serialization Published 2025-06-01 Upgrade to 0.31.1 Encoding
Medium Server-side Request Forgery (SSRF) Validated PoC axios <0.30.0 Request handling / user-controlled URL fetching Published 2025-05-01 Upgrade to 0.30.0 SSRF
No vulnerability records match the selected filter.
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

FS-AXIOS-REDIRECT-001

Cross-Origin Redirect Custom Header Leakage

Custom credential propagation across outbound trust-boundary transitions

Validated High Confirmed
Runtime validation confirmed that Axios redirect processing may preserve application-defined custom sensitive headers during cross-origin redirect chains even when standard Authorization headers are stripped.
Surface Redirect Processing
Primitive Custom Header Credential Propagation
Tested versions 1.8.1
Observed behavior

FikreSekhel runtime instrumentation demonstrated that a trusted Axios client initiated a request toward an expected internal origin, received a redirect response, and automatically followed the redirect to a different origin while preserving X-API-Key header material. Authorization was removed, but custom credential propagation persisted across origin transition.

Security implication

Applications relying exclusively on Authorization stripping during redirect handling may still leak service credentials encoded in custom headers. This creates credential exposure risk in webhook processors, API gateways, redirect-capable integrations, metadata retrieval services and multi-tenant backend routing flows.

Mitigation

Disable automatic redirects when unnecessary, sanitize redirect destinations explicitly, and strip all custom credential-bearing headers using beforeRedirect hooks. Treat redirect traversal as an explicit outbound trust-boundary transition.

Observed before mitigation 
Initial trusted request included Authorization and X-API-Key toward internal destination.
Observed after mitigation 
Redirected cross-origin request removed Authorization but preserved X-API-Key toward untrusted destination.
View FRES detection heuristic 
Flag outbound clients where reusable credential-bearing instances permit redirect traversal across trust zones.
Behavioral Analysis 2026-05-25
1 2 3 4
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.