CVE-2026-39865
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-39865
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 1.13.2+dfsg-1 |
| debian | sid | fixed | 1.13.2+dfsg-1 |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | axios | >=1.13.0,<1.13.2 | 1.13.2 |
References
- https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8
- https://nvd.nist.gov/vuln/detail/CVE-2026-39865
- https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5
- https://github.com/axios/axios
- https://github.com/axios/axios/releases/tag/v1.13.2
- https://security-tracker.debian.org/tracker/CVE-2026-39865
Verify integrity in audit chain (admin only). AS-IS.