प्लेटफ़ॉर्म
nodejs
घटक
axios
में ठीक किया गया
1.13.1
1.13.2
CVE-2026-39865 describes a denial-of-service (DoS) vulnerability within Axios, a popular JavaScript library for making HTTP requests. This flaw arises from a state corruption bug in the HTTP/2 session cleanup logic, allowing a malicious server to crash the client application. The vulnerability impacts Axios versions 1.13.0 up to, but not including, version 1.13.2, and is triggered when HTTP/2 is enabled. A fix is available in version 1.13.2.
An attacker can exploit this vulnerability by crafting malicious HTTP/2 responses that trigger concurrent session closures. The flawed session cleanup logic in Http2Sessions.getSession() within lib/adapters/http.js leads to a control flow error when removing sessions from the sessions array. This error results in a crash of the Axios client process, effectively denying service to legitimate users. The impact is a complete application outage, potentially affecting all users relying on Axios for HTTP communication. While the vulnerability requires HTTP/2 to be enabled, its widespread adoption in modern web applications increases the potential attack surface.
CVE-2026-39865 was publicly disclosed on 2026-04-08. There are currently no publicly available proof-of-concept (PoC) exploits. The vulnerability's impact is primarily denial-of-service, limiting the immediate risk of data exfiltration or remote code execution. Its inclusion in the NVD and potential addition to CISA KEV will depend on observed exploitation attempts. The EPSS score is likely to be assessed as low to medium, reflecting the need for HTTP/2 and the lack of readily available exploits.
Applications built with Node.js that utilize Axios for HTTP communication and have HTTP/2 enabled are at risk. This includes web applications, APIs, and any other JavaScript environments leveraging Axios. Shared hosting environments where users have limited control over Axios configuration are particularly vulnerable.
• nodejs / server:
ps aux | grep axios | grep http2• nodejs / server:
journalctl -u axios -f | grep -i "session cleanup"• generic web: Inspect application logs for Axios crashes or errors related to HTTP/2 sessions. Look for patterns indicating concurrent session closures or unexpected behavior within the Axios client.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (3% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-39865 is to upgrade to Axios version 1.13.2 or later. This version contains the corrected session cleanup logic that prevents the state corruption bug. If upgrading is not immediately feasible, consider disabling HTTP/2 support in your Axios configuration as a temporary workaround, although this will impact performance. Monitor your application logs for crashes related to Axios and HTTP/2 sessions. While no specific WAF rules or detection signatures are readily available, generic DoS detection rules may provide some protection. After upgrading, confirm the fix by sending HTTP/2 requests and verifying that the Axios client does not crash under concurrent session closure scenarios.
Actualice a la versión 1.13.2 o superior para corregir la vulnerabilidad de corrupción de estado en la limpieza de sesiones HTTP/2. Esta actualización aborda un error en el manejo de sesiones que podría permitir a un servidor malicioso provocar el cierre inesperado del cliente.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-39865 is a denial-of-service vulnerability in Axios versions 1.13.0 through 1.13.1. A malicious server can crash the client process by exploiting a flaw in HTTP/2 session cleanup.
You are affected if you are using Axios versions 1.13.0 to 1.13.1 and have HTTP/2 enabled. Upgrade to Axios 1.13.2 or later to mitigate the risk.
Upgrade to Axios version 1.13.2 or later. As a temporary workaround, disable HTTP/2 support in your Axios configuration.
As of the current disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability's potential impact warrants prompt remediation.
Refer to the Axios GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-39865.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।