CVE-2025-58754 Overview
Axios, a widely-used promise-based HTTP client for browsers and Node.js, contains a resource exhaustion vulnerability that can lead to denial of service. When Axios running on Node.js receives a URL with the data: scheme, it bypasses normal HTTP handling and instead decodes the entire payload directly into memory as a Buffer or Blob object. This behavior critically ignores the maxContentLength and maxBodyLength configuration options that are designed to protect HTTP responses from excessive payloads.
An attacker can exploit this vulnerability by supplying a crafted, extremely large data: URI to an Axios instance, causing the Node.js process to allocate unbounded memory. This memory exhaustion leads to process crashes and denial of service conditions, even when the application has configured responseType: 'stream' which would normally prevent full payload buffering.
Critical Impact
Attackers can crash Node.js applications by supplying maliciously crafted large data: URIs that bypass Axios content length protections, causing unbounded memory allocation and denial of service.
Affected Products
- Axios versions 0.28.0 through 0.30.1 (Node.js)
- Axios versions 1.0.0 through 1.11.x (Node.js)
Discovery Timeline
- 2025-09-12 - CVE CVE-2025-58754 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-58754
Vulnerability Analysis
The vulnerability exists in Axios's Node.js HTTP adapter's handling of data: scheme URLs. Unlike standard HTTP requests where Axios properly enforces size limits through maxContentLength and maxBodyLength configuration options, the data URI handling path completely bypasses these protective measures.
When a data: URI is processed, Axios decodes the base64-encoded payload directly into memory, creating a synthetic 200 response. This design flaw means that regardless of how the application configures response handling—including using responseType: 'stream' which should theoretically stream data without full buffering—the entire payload is loaded into memory at once.
The impact is particularly severe in server-side applications where multiple concurrent requests with large data URIs could rapidly exhaust available memory, leading to out-of-memory (OOM) conditions and service unavailability.
Root Cause
The root cause is a failure to apply consistent input validation across all URL scheme types in Axios's Node.js adapter. The maxContentLength and maxBodyLength protections were implemented specifically for HTTP/HTTPS responses but were not extended to cover the data URI decoding path.
This architectural oversight stems from treating data URIs as a separate, trusted path that doesn't require the same security controls as external network requests. The CWE-770 (Allocation of Resources Without Limits or Throttling) classification accurately describes this failure to implement resource constraints on the data URI processing mechanism.
Attack Vector
The attack exploits the network-accessible nature of applications using vulnerable Axios versions. An attacker can craft a request that causes the target application to process a large data: URI, either directly through user-supplied input or indirectly through attacker-controlled external data sources.
The attack requires no authentication or special privileges and can be executed with low complexity. The attacker crafts a data URI containing a very large base64-encoded payload. When Axios processes this URI, it attempts to decode and store the entire payload in memory without checking size limits.
For example, if an application accepts URLs from user input and passes them to Axios for fetching, an attacker could supply a data URI containing gigabytes of encoded data. The application would attempt to allocate memory for the entire decoded payload, potentially exhausting system resources and causing a denial of service condition.
Detection Methods for CVE-2025-58754
Indicators of Compromise
- Sudden memory spikes in Node.js processes handling HTTP requests
- Out-of-memory (OOM) errors or process crashes in Axios-dependent services
- Unusual presence of data: scheme URLs in application logs or request payloads
- Repeated service restarts due to memory exhaustion
Detection Strategies
- Implement application-layer monitoring for incoming requests containing data: URI schemes
- Monitor Node.js process memory utilization with alerts for abnormal growth patterns
- Audit application code for user-controlled URL inputs passed to Axios without validation
- Review dependency trees to identify affected Axios versions using npm audit or similar tools
Monitoring Recommendations
- Enable heap memory profiling on production Node.js instances to detect memory exhaustion attacks
- Set up alerts for process memory exceeding expected thresholds in containerized environments
- Log and analyze URL patterns in requests to identify potential exploitation attempts
- Implement circuit breakers to prevent cascading failures from memory exhaustion
How to Mitigate CVE-2025-58754
Immediate Actions Required
- Upgrade Axios to version 0.30.2 or 1.12.0 or later immediately
- Implement input validation to reject or sanitize data: URIs before passing to Axios
- Add URL scheme allowlisting to only permit http: and https: protocols where appropriate
- Configure memory limits on Node.js processes to contain potential impact
Patch Information
The Axios maintainers have released patched versions that address this vulnerability. The fix implements proper size limit enforcement for data URI processing, ensuring that maxContentLength and maxBodyLength protections apply consistently across all URL schemes.
Patched versions:
- Version 0.30.2 for the 0.x branch - GitHub Release v0.30.2
- Version 1.12.0 for the 1.x branch - GitHub Release v1.12.0
For detailed technical information about the fix, see the GitHub Security Advisory GHSA-4hjh-wcwx-xvwj and related GitHub Pull Request #7011.
Workarounds
- Implement a request interceptor in Axios to check and reject data: scheme URLs before processing
- Add a reverse proxy or API gateway rule to filter requests containing data URI patterns
- Use input validation libraries to sanitize and validate URLs before Axios consumption
- Wrap Axios calls in try-catch blocks with resource cleanup to limit impact of memory errors
# Configuration example
# Update Axios to patched version using npm
npm update axios@latest
# Or install specific patched versions
npm install axios@1.12.0
# For legacy 0.x branch:
npm install axios@0.30.2
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
