HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44496Published Modified CNA GitHub_M

CVE-2026-44496: Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A Regular Expression Denial of Service (ReDoS) vulnerability affects the Axios HTTP client library in versions before 0.32.0 (0.x line) and before 1.16.0 (1.x line). The flaw is reachable over the network without authentication and requires no user interaction; an attacker who can influence the XSRF cookie name passed to Axios can trigger catastrophic regex backtracking in the browser, causing the affected tab to freeze or become unresponsive. Successful exploitation degrades client-side availability but does not expose or modify data. HarborGuard tracks this advisory and will make a patched-image rebuild available at versions 0.32.0 and 1.16.0 for affected environments once images incorporating those releases are present in customer registries.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Axios as a transitive dependency.

Available
Triage

HarborGuard scores this issue at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is capable of weighting that score against each environment's compliance policy to route findings to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published upstream at this time, HarborGuard re-evaluates the advisory on each ingest cycle and will make a patched-image rebuild available the moment Axios 0.32.0 or 1.16.0 is incorporated into an image present in a customer registry. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without additional manual steps.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exercised in browser environments where Axios is loaded and making HTTP requests, meaning an attacker must be able to influence a cookie name delivered over the network to the affected browser context.

  • AuthenticationNot required

    No authentication is needed; the attacker only needs the ability to set or influence a cookie name that Axios will consume, with no account or credential required.

  • Victim interactionNot required

    Axios reads document.cookie automatically as part of preparing a request, so no deliberate victim action beyond normal page use is needed to trigger the backtracking.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free once the attacker controls or can inject a crafted cookie name, with no race condition or special environmental setup required.

Blast Radius

  • Freezes or severely stalls the affected browser tab while Axios processes the malicious cookie name, making the page unresponsive to the user.
  • Repeated triggering can exhaust JavaScript engine CPU time, causing sustained denial of service for any web application relying on Axios for HTTP requests in that browser context.
  • Confidentiality and data integrity are not affected; the vulnerability is limited to availability of the client-side application.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published, HarborGuard continuously re-checks this advisory on each ingest cycle and will make a patched-image rebuild available the moment an image incorporating Axios 0.32.0 or 1.16.0 appears in a customer registry. In the meantime, compensating controls worth evaluating include setting a static, non-user-influenced XSRF cookie name in Axios configuration, applying Content Security Policy headers to limit cookie injection vectors, and network-policy isolation to reduce the attack surface of affected browser-facing services. For customers with auto-remediation enabled, once a fix-bearing image is available the platform will rebuild the image, run regression tests, and open a PR against affected workloads automatically. Customers without auto-remediation will receive a flagged finding with severity HIGH routed according to their compliance policy configuration.

See how HarborGuard automates this
Affected packages
  • axios / axios
    >= 1.0.0, < 1.16.0 · < 0.32.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References