References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Version 1.11.0 contains a patch for the issue.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770

https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593

https://github.com/axios/axios/pull/7011

https://github.com/axios/axios/releases/tag/v1.12.0

https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj