CVE-2026-21697

Name of the Vulnerable Software and Affected Versions axios4go versions prior to 0.6.4

Description axios4go is a Go HTTP client library affected by a race condition in its shared HTTP client configuration. The global defaultClient is modified during request execution without proper synchronization, altering the shared http.Client's Transport, Timeout, and CheckRedirect properties. Applications using axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), different proxy configurations, or handling sensitive data like authentication credentials and API keys are potentially impacted. The vulnerability allows for potential proxy configuration leaks.

Recommendations Versions prior to 0.6.4 should be updated to version 0.6.4 or later.