Security Bulletin:Axios HTTP/2 Session Cleanup Logic State Corruption Bug Fixed in 1.13.2

Summary Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The...

CVE-2026-39865

A flaw was found in Axios, a promise-based HTTP client. A malicious server can exploit a state corruption bug within the HTTP/2 session cleanup logic, specifically in the Http2Sessions.getSession method. By initiating concurrent session closures, the server can trigger a control flow error, leadi...

GHSA-QJ83-CQ47-W5F8 Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Summary Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled. Details The vulnerability...

Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Http2Sessions.getSession function in the HTTP/2 session cleanup. An attacker can cause the client process...

DEBIAN-CVE-2026-39865

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability...