CVE-2026-39865

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.13.2

Description A flaw exists in the Axios HTTP/2 session cleanup logic, allowing a malicious server to crash the client process through concurrent session closures. The issue resides in the Http2Sessions.getSession() method within lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. A malicious server can exploit this by establishing multiple concurrent HTTP/2 sessions with an Axios client and then closing all sessions simultaneously. This causes the client to access invalid memory locations, resulting in a process crash.

Recommendations Update to Axios version 1.13.2 or later.