EXECUTIVE SUMMARY:
Four high-severity vulnerabilities have been discovered in the Axios HTTP client library affecting multiple versions of the package. The flaws include two separate proxy credential disclosure issues, a Regular Expression Denial of Service (ReDoS) vulnerability, and a resource exhaustion weakness in the Fetch adapter. Successful exploitation could allow attackers to leak proxy authentication credentials to attacker-controlled servers, trigger excessive CPU consumption through crafted cookie names, or exhaust system resources by bypassing configured request and response size limits. The vulnerabilities primarily affect Node.js deployments using Axios' HTTP or Fetch adapters and have been addressed through security updates.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Four high-severity vulnerabilities have been discovered in the Axios HTTP client library affecting multiple versions of the package. The flaws include two separate proxy credential disclosure issues, a Regular Expression Denial of Service (ReDoS) vulnerability, and a resource exhaustion weakness in the Fetch adapter. Successful exploitation could allow attackers to leak proxy authentication credentials to attacker-controlled servers, trigger excessive CPU consumption through crafted cookie names, or exhaust system resources by bypassing configured request and response size limits. The vulnerabilities primarily affect Node.js deployments using Axios' HTTP or Fetch adapters and have been addressed through security updates.[emaillocker id="1283"]
CVE-2026-44496 with a CVSS score of 7.5- Axios improperly constructs a regular expression from a user-influenced XSRF cookie name without escaping regex metacharacters. An attacker able to control the cookie name can trigger catastrophic regex backtracking, cause excessive CPU consumption and potentially freezing browser tabs or impact application availability.
CVE-2026-44488 with a CVSS score of 7.5 - Axios Fetch adapter fails to enforce configured maxContentLength and maxBodyLength restrictions. A malicious server or attacker-controlled input can cause oversized uploads or downloads that bypass intended limits, potentially leading to memory, CPU, or network resource exhaustion in server-side environments.
CVE-2026-44487 with a CVSS score of 8.2 - In Node.js environments using authenticated HTTP proxies, Axios may forward Proxy-Authorization headers to redirected destination servers when transitioning from proxied HTTP requests to direct HTTPS connections. This can expose proxy credentials to attacker-controlled endpoints.
CVE-2026-44486 with a CVSS score of 7.5 - Axios may retain and forward stale Proxy-Authorization headers after redirects when proxy settings are re-evaluated and the redirected request no longer uses a proxy. An attacker controlling the redirect target could obtain proxy credentials intended only for intermediary proxy servers.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-hfxv-24rg-xrqf
https://github.com/advisories/GHSA-777c-7fjr-54vf
https://github.com/advisories/GHSA-p92q-9vqr-4j8v
https://github.com/advisories/GHSA-j5f8-grm9-p9fc