Version 1.9.0

axios

Promise based HTTP client for the browser and node.js

Install Instructions

npm install axios
Current Version Release Date April 24, 2025
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/axios@1.9.0

Find axios vulnerabilities in your supply chain.

Scan for Free

axios Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2023-45857 Medium 6.5 CWE-352 0.00113 0.31138
  • 1.0.0–1.5.1
  • 0.8.1–0.27.2
CVE-2024-39338 High 7.5 CWE-918 0.00029 0.06526
  • 1.3.2–1.7.3
CVE-2025-27152 Unknown CWE-918 0.00056 0.17751
  • 1.0.0–1.8.1
  • 0.1.0–0.29.0
CVE-2020-28168 Medium 5.9 CWE-918 0.00288 0.51729
  • 0.1.0–0.21.0
CVE-2021-3749 High 7.5 CWE-400, CWE-1333 0.08915 0.9207
  • 0.1.0–0.21.1
CVE-2019-10742 High 7.5 CWE-20, CWE-755 0.1374 0.93857
  • 0.1.0–0.18.0

axios Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2025-27152 axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. 1.4.0, 1.3.5, 1.3.2, 1.2.4, 1.7.0-beta.1, 1.7.4, 0.25.0, 1.8.1 (Show all) Minor → 1.8.2
CVE-2024-39338 axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. 1.4.0, 1.3.5, 1.3.2, 1.7.0-beta.1, 1.6.6, 1.6.1, 1.6.2, 1.6.0 (Show all) Minor → 1.8.2
CVE-2023-45857 An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. 1.4.0, 1.3.5, 1.3.2, 1.2.4, 0.25.0, 0.27.2, 0.27.0, 0.21.2 (Show all) Minor → 1.8.2
CVE-2021-3749 axios is vulnerable to Inefficient Regular Expression Complexity 0.20.0, 0.19.2, 0.1.0, 0.6.0, 0.16.1, 0.19.1, 0.9.1, 0.2.1 (Show all) Minor → 0.30.0
CVE-2020-28168 Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. 0.20.0, 0.19.2, 0.1.0, 0.6.0, 0.16.1, 0.19.1, 0.9.1, 0.2.1 (Show all) Minor → 0.30.0
CVE-2019-10742 Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded. 0.1.0, 0.6.0, 0.16.1, 0.9.1, 0.2.1, 0.16.2, 0.14.0, 0.8.1 (Show all) Minor → 0.30.0

Instantly see if these axios vulnerabilities affect your code.

Scan for Free