CVE-2025-58754
BaseFortify
Publication date: 2025-09-12
Last updated on: 2025-10-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axios | axios | to 0.30.2 (exc) |
| axios | axios | From 1.0.0 (inc) to 1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Axios versions prior to 1.11.0 when running on Node.js. If Axios is given a URL with the 'data:' scheme, it does not perform an HTTP request but instead decodes the entire payload into memory and returns a synthetic 200 response. This process ignores the usual protections like maxContentLength and maxBodyLength, allowing an attacker to supply a very large 'data:' URI that causes the process to allocate unbounded memory and crash, resulting in a denial of service (DoS).
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by sending a very large 'data:' URI to an application using a vulnerable Axios version on Node.js. This causes the application to consume excessive memory and crash, leading to a denial of service (DoS) condition, which can disrupt availability of the affected service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Axios to version 1.11.0 or later, as this version contains a patch that fixes the vulnerability.