Golang
CVE-2026-21697
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global defaultClient is mutated during request execution without synchronization, directly modifying the shared http.Client's Transport, Timeout, and CheckRedirect properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
AnalysisAI
Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.
Technical ContextAI
Classified as CWE-362 (Race Condition). Affects Axios4Go. axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global defaultClient is mutated during request execution without synchronization, directly modifying the shared http.Client's Transport, Timeout, and CheckRedirect properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, GetAsync, PostAsync, etc.), those where different requests use di
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.p
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI proc
Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request toke
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows
Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve una
Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve comp
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vu
Mobilego versions up to 8.5.0 is affected by incorrect permission assignment for critical resource (CVSS 7.8).
Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration.
Remote attackers can inject arbitrary command-line arguments into bird-lg-go's traceroute module through unsanitized use
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today