CVE-2026-39865
Received Received - Intake
State Corruption in Axios HTTP/2 Causes Client Crash

Publication date: 2026-04-08

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39865
EUVD
EUVD-2026-20501
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axios axios From 1.0.0 (inc) to 1.13.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-662 The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39865 is a vulnerability in the Axios HTTP client library versions prior to 1.13.2 when HTTP/2 is enabled. It is caused by a state corruption bug in the HTTP/2 session cleanup logic within the Http2Sessions.getSession() method. Specifically, when removing sessions from an internal sessions array, the code improperly continues iterating over the array after modifying it, leading to undefined behavior.

This flaw allows a malicious HTTP/2 server to crash the Axios client process by closing multiple concurrent HTTP/2 sessions simultaneously, triggering the buggy cleanup logic and causing the client to access invalid memory.

Compliance Impact

The CVE-2026-39865 vulnerability in Axios causes a denial-of-service (DoS) via client process crash due to a state corruption bug in HTTP/2 session cleanup logic.

This vulnerability does not impact confidentiality or integrity, as it does not disclose information or allow data modification.

Since the vulnerability only affects availability by causing a client crash and does not lead to data breaches or unauthorized access, its direct impact on compliance with data protection regulations like GDPR or HIPAA is limited.

However, availability is a component of many compliance frameworks, so repeated or prolonged denial-of-service conditions could indirectly affect compliance if critical services become unavailable.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the client process using Axios with HTTP/2 enabled. An attacker controlling an HTTP/2 server can exploit this by closing multiple sessions at the same time, causing the Axios client to crash.

  • The impact is limited to the affected client process crashing, resulting in loss of availability of the application using Axios.
  • There is no impact on confidentiality or integrity, as the vulnerability does not disclose or modify data.
  • Applications using Axios with HTTP/2 enabled and connecting to untrusted or attacker-controlled servers are at risk.
Detection Guidance

This vulnerability can be detected by identifying if your application is using a vulnerable version of the Axios npm package (prior to 1.13.2) with HTTP/2 enabled.

Detection involves checking the Axios version in your project dependencies and monitoring for client process crashes related to HTTP/2 session handling.

Suggested commands to detect the vulnerable Axios version include:

  • Run `npm list axios` or `yarn list axios` in your project directory to determine the installed Axios version.
  • Check your application's logs or monitoring system for crashes or errors related to HTTP/2 session cleanup or unexpected process termination.
  • If possible, enable debugging or verbose logging for HTTP/2 connections in your Node.js environment to observe abnormal session closure behavior.
Mitigation Strategies

The immediate mitigation step is to upgrade the Axios package to version 1.13.2 or later, where the vulnerability has been fixed.

Additional steps include:

  • Avoid connecting to untrusted or attacker-controlled HTTP/2 servers until the Axios package is updated.
  • If upgrading immediately is not possible, consider disabling HTTP/2 support in Axios or your application as a temporary workaround.
  • Monitor your application for unexpected crashes and implement process supervision to automatically restart the client if it crashes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39865. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart