VulWall Team February 18, 2026 4 min read

Axios Library Flaw Lets Attackers Crash Your Node.js Server

Your application uses a version of Axios — a very common networking library — that has a flaw allowing an attacker to send a specially crafted request that forces your server to consume all available memory and crash. This causes downtime for your users and can be triggered with a single request, requiring no login or special access.

OWASP A06 Effort: small Exploitable
dos memory-exhaustion axios nodejs data-uri cve dependency cwe-770

Business Impact And Actions

high urgency

Business Impact

A successful attack takes your application offline entirely until the server is restarted. If your service is customer-facing, this means lost revenue, broken user trust, and potential SLA violations. If you operate under compliance frameworks (SOC 2, ISO 27001), unplanned downtime from a known vulnerability is a finding that auditors take seriously. The fix is a straightforward library upgrade — the cost of not acting is far higher than the cost of patching.

What To Do

  1. Ask your developer to check which version of Axios your project uses by running 'npm ls axios' — if it's below version 1.12.0 (or below 0.30.2 on the legacy 0.x line), it needs to be updated.
  2. Have your developer upgrade Axios to version 1.12.0 or later and redeploy the application — this is typically a 30–60 minute task.
  3. If your app accepts URLs submitted by users (e.g., a 'fetch this resource' feature), ask your developer to add a check that rejects any URL starting with 'data:' before it reaches Axios.
  4. After the fix is deployed, check your monitoring or error logs for any unusual memory spikes or crashes that may indicate the vulnerability was already being probed.

Axios < 0.30.2 / < 1.12.0 — Unbounded Memory Allocation via data: URI (CVE-2025-58754)

high severity CVSS 7.5

Vulnerability Explanation

When Axios on Node.js receives a URL with the `data:` scheme, the Node HTTP adapter short-circuits the normal HTTP request path and instead calls `fromDataURI()` (in `lib/helpers/fromDataURI.js`) to decode the Base64 payload directly into a `Buffer` or `Blob` in memory. This code path has no size checks: it does not honour `config.maxContentLength` or `config.maxBodyLength`, which only apply to HTTP response streams. An attacker who can supply a `data:` URI to any Axios call — including those configured with `responseType: 'stream'` — can force the Node.js process to allocate arbitrarily large amounts of memory, triggering an out-of-memory (OOM) crash. A proof-of-concept exploit is publicly available. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Root Cause

The `fromDataURI` helper function decodes the entire Base64 payload with a single `Buffer.from(decodeURIComponent(body), 'base64')` call and returns the result with no size validation. The `maxContentLength` and `maxBodyLength` guards exist only in the HTTP stream path and were never applied to the synthetic `data:` URI response path, creating a bypass of the intended resource-protection controls.

Technical Impact

Denial of Service (DoS) via process-level out-of-memory crash. A single crafted HTTP request containing a large `data:` URI can bring down the entire Node.js process. In containerised or serverless environments with constrained memory budgets, this can cascade to exhausted instance pools and full service unavailability.

Severity Justification

Network-reachable, no authentication required, no user interaction needed, and results in full availability loss (A:H). A public PoC exists. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H = 7.5.

Affected Components

  • axios >= 0.0.1 < 0.30.2
  • axios >= 1.0.0 < 1.12.0

Remediation Steps

  1. Upgrade Axios to 0.30.2 (if on the legacy 0.x line) or 1.12.0+ (recommended). Run: `npm install axios@latest` or pin to `"axios": "^1.12.0"` in package.json, then commit the updated lockfile.
  2. Scan your full dependency tree for transitive Axios pins: `npm ls axios`. Transitive dependencies from other packages may pull in an older version independently — update or override them.
  3. If an immediate upgrade is not possible, add a pre-flight guard before any Axios call that may receive external input: validate that the URL does not start with `data:` and reject it if so (see code example).
  4. Rebuild and redeploy all Docker images or serverless bundles that bundle a vulnerable Axios version — a lockfile update alone is not sufficient if images are pre-built.
  5. Add Axios to your dependency monitoring tooling (e.g., Dependabot, Snyk, Socket.dev) to receive automatic alerts for future vulnerabilities.

Verification Steps

  1. After upgrading, confirm the installed version: `node -e "console.log(require('axios/package.json').version)"` — should print 1.12.0 or higher (or 0.30.2 on the legacy line).
  2. Run `npm ls axios` and verify no nested dependency resolves to a version below the patched threshold.
  3. Optionally, send a test request with a small `data:` URI to confirm Axios still handles legitimate use cases: `node -e "require('axios').get('data:text/plain;base64,SGVsbG8=').then(r => console.log(r.data))"`.
  4. Check your CI pipeline's dependency audit step (`npm audit`) — CVE-2025-58754 should no longer appear after the upgrade.

Code Examples (javascript)

Vulnerable
// Vulnerable: attacker-controlled URL passed directly to axios
const response = await axios.get(userSuppliedUrl);

// Also vulnerable even with stream mode and size limits set:
const response = await axios.get(userSuppliedUrl, {
  responseType: 'stream',
  maxContentLength: 10 * 1024 * 1024  // ignored for data: URIs
});
Fixed
// Option 1 (preferred): Upgrade to axios >= 1.12.0 — no code change needed.
// npm install axios@^1.12.0

// Option 2 (temporary workaround if upgrade is blocked):
const DATA_URI_LIMIT = 100 * 1024; // 100 KB — adjust to your use case

function safeAxiosGet(url, options = {}) {
  if (url.startsWith('data:')) {
    const payload = url.split(',')[1] ?? '';
    if (payload.length > DATA_URI_LIMIT) {
      throw new Error(`Rejected oversized data: URI (${payload.length} bytes)`);
    }
  }
  return axios.get(url, options);
}

const response = await safeAxiosGet(userSuppliedUrl);

Best Practices

  • Never pass unvalidated, user-supplied URLs directly to Axios — always allowlist accepted schemes (e.g., `https:` only) before making requests.
  • Pin dependencies in lockfiles and scan them in CI using a software composition analysis (SCA) tool so new CVEs are caught before they reach production.
  • Apply memory limits at the process level (e.g., Node.js `--max-old-space-size` flag or container memory limits) as a defence-in-depth measure against OOM crashes.
  • Audit all code paths where Axios processes input that originates outside your own services — these are the highest-risk surfaces for this class of vulnerability.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base