CVE-2025-58754

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.11.0

Description Axios, a promise-based HTTP client for browsers and Node.js, is susceptible to a denial-of-service (DoS) attack when running on Node.js and processing URLs with the data: scheme. The Node http adapter decodes the entire payload from the data: URI into memory without size limitations, ignoring maxContentLength and maxBodyLength configurations. This allows an attacker to supply a large data: URI, causing unbounded memory allocation and potentially crashing the process, even when responseType is set to 'stream'. Approximately 2.2 million instances are potentially vulnerable.

Recommendations Update to Axios version 1.11.0 or later.