Description
Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.13.0, < 1.13.2
- Patched version(s): 1.13.2
References
Related Issues
- Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
- Axios: HTTP adapter streamed responses bypass maxContentLength - CVE-2026-42036
- Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - CVE-2026-42034
- Payload's SQLite adapter Session Fixation vulnerability - @payloadcms/next - CVE-2025-4644
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on April 27, 2026