A critical security vulnerability has been discovered in the popular Axios HTTP client library that allows attackers to crash Node.js applications through malicious data URL handling.
The flaw, tracked as CVE-2025-58754, affects all versions of Axios before 1.11.0 and has been assigned a CVSS 3.1 score of 7.5, indicating high severity.
Vulnerability Mechanics
The vulnerability stems from Axios’s improper handling of data URLs in Node.js environments.
When the library encounters a URL with the “data:” scheme, it bypasses normal HTTP processing and instead decodes the entire Base64 payload directly into memory using Buffer allocation.
| CVE Details | Information |
| CVE Number | CVE-2025-58754 |
| Affected Product | Axios HTTP Library |
| Affected Versions | < 1.11.0 |
| Patched Version | 1.12.0 |
| Severity | High |
| CVSS 3.1 Score | 7.5 |
This process completely ignores the configured maxContentLength and maxBodyLength safety limits that typically protect against oversized HTTP responses.
Security researcher AmeerAssadi, who discovered and reported the vulnerability, demonstrated that attackers can craft malicious data URLs containing extremely large Base64-encoded payloads.
When processed by vulnerable Axios installations, these URLs force the Node.js process to allocate unbounded amounts of memory, ultimately leading to out-of-memory crashes and denial of service conditions.
The attack is particularly concerning because it affects applications even when developers have implemented proper streaming configurations and memory protection mechanisms.
The vulnerability bypasses these safeguards entirely by operating outside the normal HTTP response handling pathway.
Exploitation requires minimal prerequisites, making this vulnerability especially dangerous. Attackers need only the ability to supply URLs to applications using Axios in Node.js environments.
No authentication, user interaction, or complex attack chains are necessary. The attack works regardless of whether applications request streaming responses, as the malicious payload is decoded into memory before any streaming occurs.
Proof-of-concept demonstrations show that relatively modest data URLs can consume hundreds of megabytes of memory instantaneously.
In resource-constrained environments or applications with heap size limitations, this can trigger immediate application crashes.
The vulnerability affects the availability of applications without compromising data confidentiality or integrity.
The Axios development team has addressed this vulnerability in version 1.12.0 by implementing proper size validation for data URL payloads.
Organizations using Axios should immediately upgrade to version 1.12.0 or later to remediate this security issue.
The patched version enforces the same content length restrictions on data URLs as those applied to standard HTTP responses.
For organizations unable to immediately upgrade, temporary workarounds include implementing application-level validation to reject or sanitize data URLs before they reach Axios processing.
However, upgrading to the patched version remains the recommended and most comprehensive solution to eliminate this attack vector completely.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
