CVE-2026-21697
Race Condition in axios4go HTTP Client Causes Data Exposure
Publication date: 2026-01-07
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rezmoss | axios4go | to 0.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the axios4go Go HTTP client library prior to version 0.6.4. The global default HTTP client configuration is modified concurrently without proper synchronization during request execution. Specifically, the shared http.Client's Transport, Timeout, and CheckRedirect properties are mutated while multiple requests run concurrently, which can cause unexpected behavior or security issues.
How can this vulnerability impact me? :
The vulnerability can impact applications that use axios4go with concurrent requests, especially if different requests use different proxy configurations or handle sensitive data such as authentication credentials, tokens, or API keys. The race condition may lead to incorrect or unintended sharing of HTTP client settings between requests, potentially exposing sensitive information or causing request failures.
What immediate steps should I take to mitigate this vulnerability?
Upgrade axios4go to version 0.6.4 or later, as this version fixes the race condition vulnerability in the shared HTTP client configuration.