CVE-2026-44496
Received Received - Intake
ReDoS in Axios via Malicious XSRF Cookie Name

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-44496
EUVD
EUVD-2026-36259
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axios axios to 0.32.0 (exc)
axios axios to 1.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44496 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Axios HTTP client library. It occurs because Axios versions before 0.32.0 (0.x line) and before 1.16.0 (1.x line) build a regular expression from the configured XSRF cookie name without escaping regex metacharacters.

An attacker who can influence the cookie name can inject malicious regex patterns that cause expensive regex backtracking when Axios reads document.cookie in standard browser environments. This leads to client-side availability issues such as freezing the browser tab while Axios prepares a request.

This vulnerability does not affect Node.js HTTP adapter usage, React Native, or web workers because Axios does not read document.cookie in those environments. The issue is fixed in Axios versions 0.32.0 and 1.16.0.

Impact Analysis

This vulnerability can cause severe client-side availability degradation by freezing the affected browser tab during Axios request preparation.

An attacker who can control the XSRF cookie name can trigger expensive regex backtracking, leading to denial of service on the client side.

It does not expose credentials or modify requests, but it can disrupt user experience by making the browser unresponsive.

Detection Guidance

This vulnerability manifests as client-side availability degradation, such as freezing the affected browser tab when Axios prepares a request. Detection involves monitoring for unusual browser tab freezes or performance issues in applications using vulnerable Axios versions.

Since the issue arises from Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line, checking the Axios version used in your project is a primary detection step.

  • Run a command to check the installed Axios version, for example: `npm list axios` or `yarn list axios`.
  • In browser environments, monitor for browser tab freezes or high CPU usage when Axios makes requests involving cookies.
Mitigation Strategies

The primary mitigation is to upgrade Axios to a fixed version: 0.32.0 or later on the 0.x line, or 1.16.0 or later on the 1.x line.

If upgrading immediately is not possible, avoid allowing attacker-controlled cookie names that could inject malicious regex patterns, or disable usage patterns where Axios reads `document.cookie`.

Monitor client-side application behavior for signs of freezing or performance degradation and consider implementing fallback or timeout mechanisms for Axios requests.

Compliance Impact

The vulnerability causes client-side availability degradation, such as freezing the affected browser tab, but does not expose credentials or modify requests.

There is no information provided about any direct impact on compliance with common standards and regulations like GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart