CVE CyberSecurity Database News

CVE-2025-58754 - Axios Data URI Memory Exhaustion Vulnerability – How Hackers Can Crash Your Node.js App

Poster -

Axios is a super popular HTTP client used in both browser and Node.js apps. But in early 2024, a serious vulnerability—now tracked as CVE-2025-58754—was found that could let bad actors crash your server with just a single malicious request.

If you’re using Axios version before .30.2 or 1.12. on Node.js, and you handle untrusted URLs, you need to read this! We’ll break down what went wrong, how the attack works, and how to fix it.

What Is the Problem?

Axios lets you send HTTP requests easily—usually to URLs like https://api.example.com/. But it also accepts *data URLs* (data: schemes), which aren’t real HTTP links. Instead, data URLs are designed to carry small data blobs:

data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==

On Node.js, when Axios gets a data: URL, it does not perform an HTTP request. Instead, it fires up its Node.js adapter and decodes the *entire* payload into memory—using a Buffer or Blob, depending on your setup.

Here’s the catch:
Axios enforces limits like maxContentLength or maxBodyLength to protect you from huge HTTP responses. But for data URLs, these limits are ignored. The entire data string, no matter how huge, is decoded into memory, with no limits at all.

If someone can make your code fetch a user-supplied URL, they could do this

const axios = require('axios');

// This is a MASSIVE data: URL (imagine a gigabyte of 'A's)
const bigDataUri = 'data:application/octet-stream;base64,' + 'A'.repeat(1024 * 1024 * 1024);

// This will exhaust your server's memory and crash the process
axios.get(bigDataUri).catch(e => console.error(e));

Axios will happily decode all the gigabytes, leading to unbounded RAM usage. If your server is low on memory, this means instant crash—a Denial of Service (DoS) attack.

Attacker crafts a huge data: URI, sometimes over a gigabyte in base64 text.

2. Attacker gets your API to request that URI—maybe by making a POST that your backend will follow.
3. Your Node.js server loads the data into memory, since Axios treats it like a file—not an HTTP fetch.

Even if you set Axios options like

{
  responseType: 'stream',
  maxContentLength: 1048576, // 1 MB
  maxBodyLength: 1048576
}

Axios ignores these for data: URLs and reads the full payload into memory.

REST APIs, downloaders, proxies, or anything exposing a “fetch this URL” route

Frontend (browser) use is not affected—browsers handle data URIs differently.

1.12. (for 1.x users)

Here's the change on GitHub.

function isSafeUrl(url) {

// Block data: scheme
return !/^data:/i.test(url);
}

axios.get(url, {

maxContentLength: 1024 * 100, // 100 KB

References

- CVE-2025-58754 - NVD entry
- Axios Security Advisory
- Axios PR #5532 (Patch)
- What’s a data URI? - MDN Docs

Takeaway

Do not delay updating Axios in your Node.js apps. <br>If you handle user-supplied URLs, filter them and never trust data: URIs.

CVE-2025-58754 is a textbook example of how small oversights with “non-HTTP” URLs can lead to big security headaches. Patch today, and remind your team: Always validate what you fetch!

Timeline

Published on: 09/12/2025 02:15:46 UTC
Last modified on: 10/24/2025 20:56:49 UTC