CVE-2026-21697

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842	Patch
https://github.com/rezmoss/axios4go/releases/tag/v0.6.4	Product
https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rezmoss:axios4go:*:*:*:*:*:go:*:*

History

17 Jun 2026, 10:18

Type	Values Removed	Values Added
Summary		(es) axios4go es una biblioteca cliente HTTP de Go. Antes de la versión 0.6.4, existe una vulnerabilidad de condición de carrera en la configuración compartida del cliente HTTP. El `defaultClient` global se muta durante la ejecución de la solicitud sin sincronización, modificando directamente las propiedades `Transport`, `Timeout` y `CheckRedirect` del `http.Client` compartido. Las aplicaciones afectadas incluyen aquellas que usan axios4go con solicitudes concurrentes (múltiples goroutines, `GetAsync`, `PostAsync`, etc.), aquellas donde diferentes solicitudes usan diferentes configuraciones de proxy, y aquellas que manejan datos sensibles (credenciales de autenticación, tokens, claves API). La versión 0.6.4 corrige este problema.

09 Mar 2026, 13:57

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
First Time		Rezmoss axios4go Rezmoss
CPE		cpe:2.3:a:rezmoss:axios4go::::::go::*
References	~~() https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 -~~	() https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 - Patch
References	~~() https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 -~~	() https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 - Product
References	~~() https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 -~~	() https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 - Mitigation, Vendor Advisory

07 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-07 23:15

Updated : 2026-06-17 10:18

NVD link : CVE-2026-21697

Mitre link : CVE-2026-21697

CVE.ORG link : CVE-2026-21697

JSON object : View

Products Affected

rezmoss

axios4go

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

8.1 /10