CVE-2026-39865

CVSS Score & Metrics

Base Score

5.9 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 13, 2026

CWE ID

CWE-400

Source

NVD

Vendor

axios

Product

axios

External References

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment