CVE-2025-58754
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-10-24

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-10-24
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58754
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axios axios to 0.30.2 (exc)
axios axios From 1.0.0 (inc) to 1.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Axios versions prior to 1.11.0 when running on Node.js. If Axios is given a URL with the 'data:' scheme, it does not perform an HTTP request but instead decodes the entire payload into memory and returns a synthetic 200 response. This process ignores the usual protections like maxContentLength and maxBodyLength, allowing an attacker to supply a very large 'data:' URI that causes the process to allocate unbounded memory and crash, resulting in a denial of service (DoS).

Impact Analysis

An attacker can exploit this vulnerability by sending a very large 'data:' URI to an application using a vulnerable Axios version on Node.js. This causes the application to consume excessive memory and crash, leading to a denial of service (DoS) condition, which can disrupt availability of the affected service.

Mitigation Strategies

Upgrade Axios to version 1.11.0 or later, as this version contains a patch that fixes the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart