pkg:Debian/node-axios

25 total CVEsCRITICAL1HIGH10MEDIUM13LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2024-57965In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted…
    from 0
  • HIGH7.5CVE-2026-42039Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
    from 0
  • HIGH7.5CVE-2026-25639Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
    from 0
  • HIGH7.5CVE-2025-58754Axios is vulnerable to DoS attack through lack of data size check
    from 0
  • HIGH7.5CVE-2024-39338Server-Side Request Forgery in axios
    from 0, < 1.7.4+dfsg-1
  • HIGH7.5CVE-2021-3749axios Inefficient Regular Expression Complexity vulnerability
    from 0, < 0.21.1+dfsg-1+deb11u1
  • HIGH7.5CVE-2019-10742Denial of Service in axios
    from 0, < 0.17.1+dfsg-2
  • HIGH7.4CVE-2026-42033Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
    from 0
  • HIGH7.4CVE-2026-42035Axios: Header Injection via Prototype Pollution
    from 0
  • HIGH7.4CVE-2026-42264Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
    from 0
  • HIGH7.2CVE-2026-42043Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
    from 0
  • MEDIUM6.8CVE-2026-42038Axios: no_proxy bypass via IP alias allows SSRF
    from 0
  • MEDIUM6.5CVE-2026-42044Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
    from 0
  • MEDIUM6.5CVE-2023-45857Axios Cross-Site Request Forgery Vulnerability
    from 0
  • MEDIUM5.9CVE-2026-39865Axios HTTP/2 Session Cleanup State Corruption Vulnerability
    from 0
  • MEDIUM5.9CVE-2020-28168Axios vulnerable to Server-Side Request Forgery
    from 0, < 0.21.1+dfsg-1
  • MEDIUM5.4CVE-2026-42042Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
    from 0
  • MEDIUM5.3CVE-2026-42037Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
    from 0
  • MEDIUM5.3CVE-2026-42034Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
    from 0
  • MEDIUM5.3CVE-2026-42036Axios: HTTP adapter streamed responses bypass maxContentLength
    from 0
  • MEDIUM5.3CVE-2025-27152axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
    from 0
  • MEDIUM4.8CVE-2026-42041Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
    from 0
  • MEDIUM4.8CVE-2026-40175Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
    from 0
  • MEDIUM4.8CVE-2025-62718Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
    from 0
  • LOW3.7CVE-2026-42040Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
    from 0