Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Description

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Affected Products

Vendor	Product	Versions
axios	axios	>= 1.13.0, < 1.13.2

References

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB6d ago

CVE-2026-39865 | Axios up to 1.13.1 lib/adapters/http.js Http2Sessions.getSession resource consumption

→ No new info (linked only)

CVSS 3.15.9 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

axios@1.13.2

CWECWE-400, CWE-662

PublishedApr 8, 2026

Trending Score15

Source articles1

Independent1

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline