axios

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Server-Side Request Forgery in axios

Axios Cross-Site Request Forgery Vulnerability

Malicious code in axios (npm)

Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data

Axios vulnerable to Server-Side Request Forgery

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Axios is vulnerable to DoS attack through lack of data size check

axios Inefficient Regular Expression Complexity vulnerability

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Allocation of Resources Without Limits or Throttling in Axios

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service in axios

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios: Header Injection via Prototype Pollution

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

Axios: HTTP adapter streamed responses bypass maxContentLength

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Axios: no_proxy bypass via IP alias allows SSRF

Malicious code in adsk_react_axios (npm)

yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent

Malicious code in axios-mockadptr (npm)

Malicious code in axios-cookiesupport (npm)

Malicious code in axios-proxy (npm)

Malicious code in ancestry-axios (npm)

Malicious code in @athena-ui-components/axios (npm)

Malicious code in @12build/account-api-ts-axios-sdk (npm)

Malicious code in axios-builder (npm)

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Malicious code in usaa-axios-factory (npm)

axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Malicious code in axios-hehe (npm)

Malicious code in axios-older (npm)

Malicious code in axios-timed (npm)

Malicious code in @12build/product-api-ts-axios-sdk (npm)

Malicious code in trin-axios (npm)

Malicious code in @deadcode09284814/axios-util (npm)

Malicious code in @qwedqwed/axios (npm)

Malicious code in axiosqqq (npm)

Malicious code in pulse-axios (npm)

Malicious code in axios-browseragent (npm)

Malicious code in turbo-axios (npm)

Malicious code in axios-replace (npm)

Malicious code in sync-axios (npm)

Malicious code in webpathaxios (npm)

Malicious code in axios-fingerprint (npm)

Axios npm Supply Chain Incident Impacting @usebruno/cli

Malicious code in @frozen-team-qa/axios-client (npm)

Malicious code in axios-browserify (npm)

Malicious code in @sev-ui-verse/axios-client (npm)

Malicious code in axios.js (npm)

Malicious code in v018-axios-cdntest (npm)

Malicious code in axios-cancelable (npm)