Description
When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.28.0, < 0.30.2 >= 1.0.0, < 1.12.0** Patched version(s): **0.30.2 1.12.0**
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Webrecorder packages are vulnerable to XSS through 404 error handling logic (GHSA-w765-jm6w-4hhj) - CVE-2025-58765
- Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools - CVE-2025-9611
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on January 16, 2026