Description
When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.28.0, < 0.30.2 >= 1.0.0, < 1.12.0** Patched version(s): **0.30.2 1.12.0**
References
Related Issues
- Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - CVE-2026-42039
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
- Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools - CVE-2025-9611
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on January 16, 2026