VDB

DEBIAN-CVE-2025-58754

DEBIAN-CVE-2025-58754 PUBLISHED CVSS 7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:12node-axios*, 1.7.7+dfsg-1, 1.7.9+dfsg-1
Debian:13node-axios1.13.2+dfsg, 1.14.0+dfsg, 1.15.0-1
Debian:14node-axios1.11.0+dfsg-1, 0, 1.11.0+dfsg
Debian:11node-axios1.14.0+dfsg, 1.15.0-1, 1.15.2-1

Exploit Intelligence

Timeline

  • Sep 12, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›