[Pkg-javascript-devel] Bug#1114963: node-axios: CVE-2025-58754
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 12 09:54:37 BST 2025
Source: node-axios
Version: 1.11.0+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/axios/axios/pull/7011
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-axios.
CVE-2025-58754[0]:
| Axios is a promise based HTTP client for the browser and Node.js.
| When Axios prior to version 1.11.0 runs on Node.js and is given a
| URL with the `data:` scheme, it does not perform HTTP. Instead, its
| Node http adapter decodes the entire payload into memory
| (`Buffer`/`Blob`) and returns a synthetic 200 response. This path
| ignores `maxContentLength` / `maxBodyLength` (which only protect
| HTTP responses), so an attacker can supply a very large `data:` URI
| and cause the process to allocate unbounded memory and crash (DoS),
| even if the caller requested `responseType: 'stream'`. Version
| 1.11.0 contains a patch for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58754
https://www.cve.org/CVERecord?id=CVE-2025-58754
[1] https://github.com/axios/axios/pull/7011
[2] https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
[3] https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list