Back to Blog

Axios CVE-2025-58754: Brief Summary of a Memory Exhaustion Vulnerability in Node.js Data URI Handling

This post presents a brief summary of CVE-2025-58754, a memory exhaustion vulnerability in Axios prior to version 1.11.0 affecting Node.js applications that process data URIs. The flaw allows attackers to bypass content length limits and trigger denial of service. Includes affected versions, technical details, and references.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

Axios CVE-2025-58754: Brief Summary of a Memory Exhaustion Vulnerability in Node.js Data URI Handling
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single HTTP request can bring down a Node.js service if it uses Axios to process attacker-controlled data URIs. Axios is one of the most widely adopted HTTP client libraries in the JavaScript ecosystem, with over 292 million downloads monthly. This vulnerability, CVE-2025-58754, impacts all Axios versions prior to 1.11.0 and allows memory exhaustion attacks that can crash affected processes.

Technical Information

CVE-2025-58754 is a memory allocation vulnerability in Axios, specifically in its Node.js HTTP adapter. When Axios is provided a URL using the data: scheme, it does not perform an HTTP request. Instead, it decodes the entire payload from the data URI into memory as a Buffer or Blob. Critically, this code path ignores the maxContentLength and maxBodyLength configuration options, which are designed to protect applications from large HTTP responses.

This means that if an attacker can supply a data URI with a very large payload, Axios will allocate memory for the entire decoded content, regardless of any configured limits. This can quickly exhaust available memory and crash the Node.js process. The issue occurs even if the application requests a streaming response by setting responseType: 'stream'.

The vulnerability is present in all Axios versions before 1.11.0. The fix, released in version 1.11.0, ensures that data URI payloads are subject to the same content length checks as HTTP responses, preventing unbounded memory allocation.

Affected Systems and Versions

  • Product: Axios (npm package axios)
  • Affected versions: All versions prior to 1.11.0
  • Vulnerable configuration: Node.js environment, when Axios is used to process URLs with the data: scheme

Vendor Security History

Axios has a strong presence in the JavaScript community and is maintained by a responsive team. The project has addressed several notable vulnerabilities in recent years, including:

  • CVE-2025-7783 (predictable boundary values in form-data)
  • CVE-2025-27152 (SSRF and credential leakage)

The maintainers use GitHub advisories and have a mature disclosure and patching process.

References

Related Articles

Axxon One CVE-2025-10226: Brief Summary of PostgreSQL Dependency Vulnerability and Impact
CVE Analysis

2025-09-10

11 min read

Axxon One CVE-2025-10226: Brief Summary of PostgreSQL Dependency Vulnerability and Impact

This post provides a brief summary of CVE-2025-10226, a critical vulnerability in AxxonSoft Axxon One 2.0.8 and earlier due to dependency on PostgreSQL v10.x. The flaw allows remote attackers to escalate privileges, execute arbitrary code, or cause denial of service by exploiting multiple known CVEs in PostgreSQL, resolved in version 17.4. Includes technical details, affected versions, and vendor security history.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Cisco IOS XR ARP Storm DoS (CVE-2025-20340): Brief Summary and Technical Details
CVE Analysis

2025-09-10

7 min read

Cisco IOS XR ARP Storm DoS (CVE-2025-20340): Brief Summary and Technical Details

Brief summary of CVE-2025-20340: a high-severity ARP storm vulnerability in Cisco IOS XR Software that can allow an unauthenticated adjacent attacker to cause a denial of service via broadcast storm. This post covers technical details, affected versions, and vendor security history based on available sources.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Sophos AP6 Series CVE-2025-10159: Brief Summary of a Critical Authentication Bypass Vulnerability
CVE Analysis

2025-09-09

7 min read

Sophos AP6 Series CVE-2025-10159: Brief Summary of a Critical Authentication Bypass Vulnerability

This post provides a brief summary of CVE-2025-10159, a critical authentication bypass vulnerability in Sophos AP6 Series Wireless Access Points prior to firmware version 1.7.2563. The flaw allows remote attackers to gain administrative privileges without credentials. Details include affected versions, technical root cause, and vendor history.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Detect & fix
what others miss

Get startedBook a demo