VIR Vulnerability Intelligence Relay

Package impact

npm npm / axios

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-42043 critical 10.0 10.0 1mo ago Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 debiannpm
CVE-2025-62718 critical 9.9 9.9 2mo ago Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback… susedebiannpm
CVE-2026-42264 critical 9.1 9.1 20d ago Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking susedebiannpm
CVE-2026-42044 critical 9.1 9.1 1mo ago Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` debiannpm
CVE-2026-42039 high 7.5 7.5 1mo ago Axios: unbounded recursion in toFormData causes DoS via deeply nested request data debiannpm
CVE-2026-42038 high 7.5 7.5 1mo ago Axios: no_proxy bypass via IP alias allows SSRF debiannpm
CVE-2026-25639 high 7.5 7.5 4mo ago Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig debiannpm
CVE-2026-42035 high 7.4 7.4 1mo ago Axios: Header Injection via Prototype Pollution debiannpm
CVE-2026-42033 high 7.4 7.4 1mo ago Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking debiannpm
CVE-2026-42041 medium 6.5 6.5 1mo ago Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy susedebiannpm
CVE-2026-42042 medium 5.4 5.4 1mo ago Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion debiannpm
CVE-2026-42037 medium 5.3 5.3 1mo ago Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream debiannpm
CVE-2026-42036 medium 5.3 5.3 1mo ago Axios: HTTP adapter streamed responses bypass maxContentLength debiannpm
CVE-2026-42034 medium 5.3 5.3 1mo ago Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 debiannpm
CVE-2026-40175 medium 4.8 4.8 2mo ago Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain debiannpm