Axios is a widely used npm package. As of 2026-05-24, there are 25 known vulnerabilities in the OSV database. The latest stable version is 1.16.1. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (25)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2019-10742 | HIGH | 7.5 | 0 to 0.18.1 | 0.18.1 | Denial of Service in axios |
| CVE-2026-25639 | HIGH | 7.5 | 1.0.0 to 1.13.5; 0 to 0.30.3 | 1.13.5 | Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig |
| CVE-2025-58754 | HIGH | 7.5 | 1.0.0 to 1.12.0; 0.28.0 to 0.30.2 | 1.12.0 | Axios is vulnerable to DoS attack through lack of data size check |
| CVE-2026-42035 | HIGH | 7.5 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: Header Injection via Prototype Pollution |
| CVE-2024-39338 | HIGH | 7.5 | 1.3.2 to 1.7.4 | 1.7.4 | Server-Side Request Forgery in axios |
| CVE-2021-3749 | HIGH | 7.5 | 0 to 0.21.2 | 0.21.2 | axios Inefficient Regular Expression Complexity vulnerability |
| CVE-2025-27152 | HIGH | 7.5 | 1.0.0 to 1.8.2; 0 to 0.30.0 | 1.8.2 | axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL |
| CVE-2026-42033 | HIGH | 7.5 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking |
| CVE-2026-42043 | HIGH | 7.5 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 |
| CVE-2026-42264 | HIGH | 7.5 | 1.0.0 to 1.15.2 | 1.15.2 | Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking |
| CVE-2025-62718 | MODERATE | 5.0 | 1.0.0 to 1.15.0; 0 to 0.31.0 | 1.15.0 | Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF |
| CVE-2026-42044 | MODERATE | 5.0 | 1.0.0 to 1.15.2 | 1.15.2 | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` |
| CVE-2026-42037 | MODERATE | 5.0 | 1.0.0 to 1.15.1 | 1.15.1 | Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream |
| CVE-2020-28168 | MODERATE | 5.0 | 0 to 0.21.1 | 0.21.1 | Axios vulnerable to Server-Side Request Forgery |
| CVE-2026-42034 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 |
| CVE-2026-42039 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: unbounded recursion in toFormData causes DoS via deeply nested request data |
| CVE-2026-40175 | MODERATE | 5.0 | 1.0.0 to 1.15.0; 0 to 0.31.0 | 1.15.0 | Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain |
| CVE-2026-42038 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: no_proxy bypass via IP alias allows SSRF |
| CVE-2026-39865 | MODERATE | 5.0 | 1.13.0 to 1.13.2 | 1.13.2 | Axios HTTP/2 Session Cleanup State Corruption Vulnerability |
| CVE-2026-42036 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: HTTP adapter streamed responses bypass maxContentLength |
| CVE-2026-42041 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy |
| CVE-2023-45857 | MODERATE | 5.0 | 1.0.0 to 1.6.0; 0.8.1 to 0.28.0 | 1.6.0 | Axios Cross-Site Request Forgery Vulnerability |
| CVE-2026-42042 | MODERATE | 5.0 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion |
| CVE-2026-42040 | LOW | 2.5 | 1.0.0 to 1.15.1; 0 to 0.31.1 | 1.15.1 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
| MAL-2026-2307 | UNKNOWN | - | See advisory | N/A | Malicious code in axios (npm) |
Security Recommendations
- Pin Axios to the latest stable version (1.16.1) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
npm audit - Review your lock file (.package-lock.json) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Axios safe to use?
Axios is actively maintained and widely used. As of 2026-05-24, there are 25 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Axios have?
The OSV database currently lists 25 vulnerabilities for Axios. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Axios to fix vulnerabilities?
Run npm update axios or npm install axios@latest to get the newest version. Use npm audit to identify vulnerable dependencies in your project. Enable automated updates with Dependabot or Renovate to stay current.
Using AI-Generated Code with Axios?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Axios, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit