Axios (Node.js) – Support, CVEs & Health

GHSA-35jp-ww65-95wh CVSS_V3

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Published: 2026-05-29 Fixed in: 1.16.0

GHSA-3g43-6gmg-66jw CVSS_V3

axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Published: 2026-05-29 Fixed in: 1.15.2

GHSA-3p68-rc4w-qgx5 CVSS_V3

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Published: 2026-04-09 Fixed in: 1.15.0

GHSA-3w6x-2g7m-8v23 CVSS_V3

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Published: 2026-05-05 Fixed in: 1.15.2

GHSA-42xw-2xvc-qx8m CVSS_V3

Denial of Service in axios

Published: 2019-05-29 Fixed in: 0.18.1

GHSA-43fc-jf86-j433 CVSS_V3

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Published: 2026-02-09 Fixed in: 1.13.5

GHSA-445q-vr5w-6q77 CVSS_V3

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Published: 2026-05-05 Fixed in: 1.15.1

GHSA-4hjh-wcwx-xvwj CVSS_V3

Axios is vulnerable to DoS attack through lack of data size check

Published: 2025-09-11 Fixed in: 1.12.0

GHSA-4w2v-q235-vp99 CVSS_V3

Axios vulnerable to Server-Side Request Forgery

Published: 2021-01-04 Fixed in: 0.21.1

GHSA-5c9x-8gcm-mpgx CVSS_V3

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Published: 2026-05-05 Fixed in: 1.15.1

Axios