How ZeroPath Works
Back to Blog

Axios CVE-2025-58754: Brief Summary of a Memory Exhaustion Vulnerability in Node.js Data URI Handling

This post presents a brief summary of CVE-2025-58754, a memory exhaustion vulnerability in Axios prior to version 1.11.0 affecting Node.js applications that process data URIs. The flaw allows attackers to bypass content length limits and trigger denial of service. Includes affected versions, technical details, and references.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

Axios CVE-2025-58754: Brief Summary of a Memory Exhaustion Vulnerability in Node.js Data URI Handling
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single HTTP request can bring down a Node.js service if it uses Axios to process attacker-controlled data URIs. Axios is one of the most widely adopted HTTP client libraries in the JavaScript ecosystem, with over 292 million downloads monthly. This vulnerability, CVE-2025-58754, impacts all Axios versions prior to 1.11.0 and allows memory exhaustion attacks that can crash affected processes.

Technical Information

CVE-2025-58754 is a memory allocation vulnerability in Axios, specifically in its Node.js HTTP adapter. When Axios is provided a URL using the data: scheme, it does not perform an HTTP request. Instead, it decodes the entire payload from the data URI into memory as a Buffer or Blob. Critically, this code path ignores the maxContentLength and maxBodyLength configuration options, which are designed to protect applications from large HTTP responses.

This means that if an attacker can supply a data URI with a very large payload, Axios will allocate memory for the entire decoded content, regardless of any configured limits. This can quickly exhaust available memory and crash the Node.js process. The issue occurs even if the application requests a streaming response by setting responseType: 'stream'.

The vulnerability is present in all Axios versions before 1.11.0. The fix, released in version 1.11.0, ensures that data URI payloads are subject to the same content length checks as HTTP responses, preventing unbounded memory allocation.

Affected Systems and Versions

  • Product: Axios (npm package axios)
  • Affected versions: All versions prior to 1.11.0
  • Vulnerable configuration: Node.js environment, when Axios is used to process URLs with the data: scheme

Vendor Security History

Axios has a strong presence in the JavaScript community and is maintained by a responsive team. The project has addressed several notable vulnerabilities in recent years, including:

  • CVE-2025-7783 (predictable boundary values in form-data)
  • CVE-2025-27152 (SSRF and credential leakage)

The maintainers use GitHub advisories and have a mature disclosure and patching process.

References

Detect & fix
what others miss

Get startedBook a demo