axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
References
| Link | Resource |
|---|---|
| https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 | Patch |
| https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 | Product |
| https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 | Mitigation Vendor Advisory |
Configurations
History
09 Mar 2026, 13:57
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
| First Time |
Rezmoss axios4go
Rezmoss |
|
| CPE | cpe:2.3:a:rezmoss:axios4go:*:*:*:*:*:go:*:* | |
| References | () https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 - Patch | |
| References | () https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 - Product | |
| References | () https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 - Mitigation, Vendor Advisory |
07 Jan 2026, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-07 23:15
Updated : 2026-03-09 13:57
NVD link : CVE-2026-21697
Mitre link : CVE-2026-21697
CVE.ORG link : CVE-2026-21697
JSON object : View
Products Affected
rezmoss
- axios4go
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')