CVE-2026-39865

EUVD-2026-20501

08.04.2026, 15:16

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
axios	axios	1.0.0 ≤ 𝑥 < 1.13.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5

https://github.com/axios/axios/releases/tag/v1.13.2

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8