Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package axios, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (34)
CVE-2025-62718 — CVSS 9.9 (critical): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname…
CVE-2026-44494 — CVSS 8.7 (high): Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a…
CVE-2026-44492 — CVSS 8.6 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6…
CVE-2019-10742 — CVSS 7.5 (high): Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after…
CVE-2024-39338 — CVSS 7.5 (high): axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
CVE-2025-58754 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and…
CVE-2026-25639 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios…
CVE-2026-42039 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects…
CVE-2026-44486 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy…
CVE-2026-44487 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a…
CVE-2026-44488 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request…
CVE-2026-44496 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x…
CVE-2026-42035 — CVSS 7.4 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the…
CVE-2026-42033 — CVSS 7.4 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by…
CVE-2026-42264 — CVSS 7.4 (high): Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties…
CVE-2026-42043 — CVSS 7.2 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL…
CVE-2026-44495 — CVSS 7.0 (high): Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains…
CVE-2026-42038 — CVSS 6.8 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization…
CVE-2026-42044 — CVSS 6.5 (medium): Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a…
CVE-2023-45857 — CVSS 6.5 (medium): An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header…
CVE-2020-28168 — CVSS 5.9 (medium): Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by…
CVE-2026-39865 — CVSS 5.9 (medium): Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session…
CVE-2026-42042 — CVSS 5.4 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection…
CVE-2026-42037 — CVSS 5.3 (medium): Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in…
CVE-2026-42036 — CVSS 5.3 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios…
CVE-2026-42034 — CVSS 5.3 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is…
CVE-2025-27152 — CVSS 5.3 (medium): axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative…
CVE-2026-42041 — CVSS 4.8 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a…
CVE-2026-44490 — CVSS 4.8 (medium): Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side…
CVE-2026-40175 — CVSS 4.8 (medium): Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific…
CVE-2026-42040 — CVSS 3.7 (low): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in…
CVE-2026-44489 — CVSS 3.7 (low): Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge()…
CVE-2025-54371: Rejected reason: This CVE is a duplicate of another CVE.