Outdated HTTP Library Can Be Used to Knock Your App Offline
Your application uses an old version of Axios (v0.12.0), a popular tool that helps your software communicate with other services over the internet. This version has a known flaw that lets anyone send a specially crafted request to slow your server to a crawl — potentially making your app unavailable to real users. Upgrading to a newer version takes a developer less than an hour and fully resolves the issue.
Business Impact And Actions
high urgencyBusiness Impact
If exploited, this flaw can make your application unresponsive, effectively taking it offline for your customers. Downtime directly affects revenue, customer trust, and — if you handle regulated data — could raise questions during a compliance audit. The good news: no data is exposed and no accounts can be compromised through this specific issue.
What To Do
- Ask your developer to upgrade the Axios library to version 0.21.2 or later — this is a straightforward dependency update, typically under an hour of work.
- After the upgrade, ask your developer to confirm the change is deployed to your live environment and run a quick smoke test to make sure everything still works.
- Check whether Axios appears anywhere else in your codebase (e.g. in other services or tools your team uses) and apply the same upgrade there.
- Consider setting up automated alerts for outdated or vulnerable libraries — tools like Dependabot (free on GitHub) can flag these issues before they reach a scanner.
Axios < 0.21.2 ReDoS via trim() Function (CVE-2021-3749)
high severity CVSS 7.5Vulnerability Explanation
Axios versions prior to 0.21.2 contain a Regular Expression Denial of Service (ReDoS) vulnerability in the internal `trim()` utility function located in `axios/lib/utils.js`. The function used two separate regex patterns — `/^\s*/` and `/\s*$/` — with greedy `*` quantifiers to strip leading and trailing whitespace. These patterns are susceptible to catastrophic backtracking in JavaScript's V8 regex engine when processing specially crafted input strings (e.g., a long string of spaces followed by a non-space character). Processing time grows exponentially with input length, allowing an attacker to lock up the Node.js event loop with a single malformed request.
Root Cause
The root cause is the use of greedy regex quantifiers (`*`) on patterns that can match zero-length strings at every position in the input. When the regex engine fails to find a full match, it backtracks through an exponential number of possible paths. The fix replaces the two patterns with a single, non-backtracking alternative `/^\s+|\s+$/g` (using `+` instead of `*`) and prefers the native `String.prototype.trim()` method when available, which has no such pathological behaviour.
Technical Impact
An unauthenticated remote attacker can send a crafted HTTP request containing a malicious string to any endpoint that passes user-controlled input through Axios's trim function. This causes the Node.js event loop to block, making the application unresponsive to all other requests — a complete denial of service. There is no impact on confidentiality or data integrity.
Severity Justification
CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H — network-accessible, no authentication required, no user interaction, full availability impact. Rated HIGH by NVD and the axios advisory.
Affected Components
axios < 0.21.2
Remediation Steps
- Upgrade axios to version 0.21.2 or later: run `npm install axios@latest` (or pin to a specific safe version such as `0.21.4` or `1.x` if your codebase supports it).
- If you cannot upgrade immediately, audit all code paths that pass user-controlled strings into axios request headers, URLs, or config fields, and enforce strict input length limits (e.g., reject strings over 1 KB) as a temporary mitigation.
- Update your `package.json` to reflect the new minimum version (e.g., `"axios": "^1.0.0"`) and commit the updated `package-lock.json` or `yarn.lock`.
- Re-run your dependency scanner (e.g., `npm audit`) after upgrading to confirm CVE-2021-3749 is no longer reported.
- Deploy the updated build to all environments (staging, then production) and verify the application starts and handles requests correctly.
Verification Steps
- Run `npm list axios` or `cat node_modules/axios/package.json | grep '"version"'` to confirm the installed version is 0.21.2 or later.
- Run `npm audit` and verify CVE-2021-3749 / GHSA-cph5-m8f7-6c5x is no longer listed.
- Optionally, run a quick ReDoS smoke test against a local instance: send a request with a header value containing a long whitespace-padded string (e.g., 50,000 spaces) and confirm the server responds promptly without hanging.
Code Examples (json)
// package.json — vulnerable
"dependencies": {
"axios": "0.12.0"
}
// Internally, axios/lib/utils.js (pre-0.21.2) used:
function trim(str) {
return str.replace(/^\s*/, '').replace(/\s*$/, '');
// ^^^ greedy *-quantifier causes catastrophic backtracking
}// package.json — fixed
"dependencies": {
"axios": "^1.0.0" // or "^0.21.2" as a minimum
}
// axios/lib/utils.js (0.21.2+) uses:
function trim(str) {
return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
// ^^^ native trim preferred; fallback uses + quantifier (no catastrophic backtracking)
}Best Practices
- Pin dependency versions in `package-lock.json` or `yarn.lock` and commit lock files to source control so all environments use the same vetted versions.
- Enable automated dependency scanning (e.g., GitHub Dependabot, Snyk, or `npm audit` in CI) to catch vulnerable library versions before they reach production.
- Enforce input length limits at your API boundary — reject or truncate abnormally long strings before they reach any processing logic.
- Prefer native built-in methods (e.g., `String.prototype.trim()`) over custom regex implementations for common string operations.
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free