Denial of Service Vulnerability in Axios HTTP Client for Node.js
CVE-2025-58754

7.5HIGH

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-58754?

CVE-2025-58754 is a denial of service vulnerability found in the Axios HTTP client, a popular promise-based library for making HTTP requests in both browser and Node.js environments. Specifically, this vulnerability impacts versions of Axios prior to 1.11.0 when executing on Node.js. The flaw arises when Axios is provided with a URL that uses the data: scheme, as it bypasses traditional HTTP processing and instead attempts to decode the entire payload directly into memory. This leads to unbounded memory allocation and can cause the application to crash, resulting in a denial of service.

The implication of this vulnerability is critical for organizations that utilize Axios in their software, as it can lead to unexpected downtime and resource exhaustion. The failure to validate the maximum size of incoming data requests allows an attacker to exploit this flaw by sending a maliciously crafted large data: URI, overwhelming the application's memory and leading to a service disruption. To mitigate this risk, users are advised to upgrade to Axios version 1.11.0 or later, which includes a fix for this vulnerability.

Potential impact of CVE-2025-58754

Unbounded Memory Allocation: The flaw allows attackers to supply excessively large data: URIs that can lead to uncontrolled memory usage. This can result in application crashes and service unavailability.
Denial of Service: The vulnerability is an avenue for denial of service attacks, where services equipped with Axios can be rendered inoperable, leading to significant downtime that impacts business operations and user experience.
Resource Exhaustion: Organizations may face increased operating costs related to monitoring and managing memory and resource consumption due to the potential influx of malicious requests targeting this vulnerability. This could lead to strain on infrastructure and poor performance in instances where rapid scaling is required.