Skip to main content

Node.js EUVDEUVD-2026-20501

| CVE-2026-39865 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-08 GitHub_M GHSA-qj83-cq47-w5f8
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 15:16 euvd
EUVD-2026-20501
Analysis Generated
Apr 08, 2026 - 15:16 vuln.today
CVE Published
Apr 08, 2026 - 14:25 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 25 npm packages depend on axios (15 direct, 10 indirect)

Ecosystem-wide dependent count for version 1.13.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

AnalysisAI

Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.

Technical ContextAI

Axios is a popular promise-based HTTP client library for Node.js and browsers. The vulnerability resides in the Http2Sessions.getSession() method within lib/adapters/http.js, where HTTP/2 session management logic improperly handles removal of sessions from an internal sessions array. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), indicating a resource management flaw where concurrent session closure operations corrupt internal state. When a malicious HTTP/2 server triggers multiple simultaneous session terminations, the cleanup logic fails to properly synchronize array mutations, leading to use-after-free or index out-of-bounds conditions that crash the Node.js process. This affects all Axios versions before 1.13.2 that support HTTP/2 protocol handling.

RemediationAI

Upgrade Axios to version 1.13.2 or later, which contains the fix for the HTTP/2 session cleanup control flow error. For applications unable to immediately upgrade, disable HTTP/2 protocol support in HTTP client configuration or implement network-level filtering to restrict HTTP/2 connections from untrusted servers. Consult the official GitHub Security Advisory (https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8) for additional context and verification of patch deployment. Monitor Node.js process stability and implement crash recovery mechanisms as temporary mitigations.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

EUVD-2026-20501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy