4641 matches found
Denial Of Service (DoS)
Axios is vulnerable to Denial Of Service DoS. The vulnerability is due to a state corruption bug in HTTP/2 session cleanup logic, which allows a malicious server to trigger concurrent session closures and crash the client process...
Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to denial of service (CVE-2026-39865)
Summary Node.js module axios is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module axios CVE-2026-3986...
Malicious code in @athena-ui-components/axios (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec575fc86c9df0e6b2ab1a970a32ecf46d6c83971e173f481ecf7e87184260a9 The package @athena-ui-components/axios was found to contain malicious code. Source: ossf-package-analysis...
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
Summary The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses...
Exploit for CVE-2026-40175
audit-axios Scan local repos for vulnerable axios versions an...
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Summary When an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie headers matched by regex at index.js:469-476. Any custom authentication header e.g., X-API-Key, X-Auth-Token, Api-Key, Token is forwarded...
org.webjars.npm:axios (=0.15.3), org.webjars.npm:github-build (=1.2.0) +1 more potentially affected by CVE-2026-40895 via org.webjars.npm:follow-redirects (=1.0.0)
org.webjars.npm:follow-redirects MAVEN version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:follow-redirects and may be impacted: - org.webjars.npm:axios =0.15.3 - org.webjars.npm:github-build =1.2.0 -...
GHSA-R4Q5-VMMM-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Summary When an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie headers matched by regex at index.js:469-476. Any custom authentication header e.g., X-API-Key, X-Auth-Token, Api-Key, Token is forwarded...
OpenAI Rotates macOS Certificates Following Axios Supply Chain Breach
OpenAI rotates macOS certificates after downloading a compromised Axios version, urging users to update apps before revoked certificates are blocked in May 2026...
CVE-2026-40175
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote...
Header Injection
Axios is vulnerable to Header Injection. The vulnerability is due to the presence of a gadget chain that allows existing Prototype Pollution in dependent code to be escalated, enabling attackers to achieve remote code execution or access sensitive resources such as AWS IMDSv2 metadata...
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macO...
Exploit for CVE-2026-40175
🚨 CVE-2026-40175 - Critical Vulnerability in Axios...
SUSE CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...
Linux Distros Unpatched Vulnerability : CVE-2026-40175
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in...
CVE-2025-62718
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...
DoS (Denial of Service) axios Dependency in Confluence Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
DEBIAN-CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This...
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This...
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This...