CVE-2026-39865

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5
https://github.com/axios/axios/releases/tag/v1.13.2
https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

History

27 Apr 2026, 17:16

Type	Values Removed	Values Added
References		() https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5 - () https://github.com/axios/axios/releases/tag/v1.13.2 -

21 Apr 2026, 18:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:axios:axios::::::node.js::*
References	~~() https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8 -~~	() https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8 - Exploit, Vendor Advisory
First Time		Axios axios Axios

13 Apr 2026, 19:16

Type	Values Removed	Values Added
Summary	(en) Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.	(en) Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

08 Apr 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 15:16

Updated : 2026-04-27 17:16

NVD link : CVE-2026-39865

Mitre link : CVE-2026-39865

CVE.ORG link : CVE-2026-39865

JSON object : View

Products Affected

axios

axios

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-662

Improper Synchronization

5.9 /10