Description
When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **< 0.30.2 >= 1.0.0, < 1.12.0** Patched version(s): **0.30.2 1.12.0**
References
Related Issues
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Parse Server's custom object ID allows to acquire role privileges - CVE-2024-47183
- XSS in jQuery as used in Drupal, Backdrop CMS, and other products - CVE-2019-11358
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on September 29, 2025