Description
When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.28.0, < 0.30.2 >= 1.0.0, < 1.12.0** Patched version(s): **0.30.2 1.12.0**
References
Related Issues
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - replaywebpage - CVE-2025-58765
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization - CVE-2026-6594
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on January 16, 2026


