Axios is one of the most popular libraries for making HTTP requests in JavaScript, widely used in both browser and Node.js environments. However, recent security research has uncovered a critical vulnerability (CVE-2025-58754) affecting many applications built with Axios. This article dives deep into the vulnerability, how it works, real-world risks, mitigation, and code examples to help you stay secure.
What Is CVE-2025-58754?
CVE-2025-58754 is a Denial of Service (DoS) vulnerability affecting Axios versions starting from .28. up to but not including .30.2 and 1.12. (inclusive, but not patched) on Node.js when handling data: scheme (Data URI) URLs.
If Axios is given a data: URL, it processes it *without* regular HTTP safeguards.
- During this process, Axios ignores the usual maxContentLength and maxBodyLength settings—these do not apply since this isn’t an actual HTTP request.
This means a large payload in a data: URI makes Axios allocate a huge buffer in memory.
- As a result, an attacker can make the Node.js process run out of memory and crash, even if you set responseType: 'stream'.
Why Is This a Problem?
Usually, maxContentLength and maxBodyLength help protect Node.js apps from downloaded files that are too large. Axios skips these limits for data: URLs. This loophole lets attackers supply enormous Data URIs, making Axios try to buffer the complete contents—even if it’s gigabytes.
If you don’t restrict user-supplied URLs, an attacker can send you a bogus Data URI like
const axios = require('axios');
const largeSize = 100 * 1024 * 1024; // 100 MB
const bigData = 'A'.repeat(largeSize);
const dataUrl = data:text/plain;base64,${Buffer.from(bigData).toString('base64')};
axios.get(dataUrl, {
maxContentLength: 1024, // user thinks it's limited to 1 KB
responseType: 'stream' // try to avoid buffering
}).then(response => {
console.log('Downloaded!');
}).catch(console.error);
Expected: Axios should block the fetch due to the maxContentLength.
Actual: The settings are ignored, and Axios allocates memory for the entire payload, potentially causing an Out of Memory (OOM) crash.
The process eventually exhausts memory and crashes.
This applies even to responseType: 'stream', so you can’t bypass it by requesting a stream instead of a buffer.
Official Patch
- Fixed in v.30.2 and v1.12. (Release notes)
Upgrade immediately
npm install axios@^.30.2
# or
npm install axios@^1.12.
return url.startsWith('data:');
}
throw new Error('Data URIs not allowed!');
}
Useful Links
- Axios Official Advisory
- NPM Advisory
- Axios Release Notes
- OWASP Data URI Attack Vector Guide
Final Thoughts
CVE-2025-58754 is a classic example of how small oversights in open-source code—especially around non-HTTP protocols—can expose systems to large-scale DoS attacks. If your apps use Axios and process user-supplied URLs, make sure you’ve upgraded or are validating inputs.
Always keep dependencies up-to-date, and audit how your app handles user URLs. Attackers don’t just think about the web—they’ll exploit every corner, including Data URI tricks.
Timeline
Published on: 09/12/2025 01:16:40 UTC
Last modified on: 01/16/2026 15:15:52 UTC