Axios: The Billion-Byte Gulp (CVE-2025-58754)
Vulnerability ID: CVE-2025-58754
CVSS Score: 7.5
Published: 2025-09-12
A logic flaw in the popular Axios HTTP client allowed 'data:' URIs to bypass size limits, leading to instantaneous Out-of-Memory (OOM) crashes in Node.js applications.
TL;DR
Axios ignored maxContentLength when handling data: URIs. An attacker could supply a massive Base64 string in a URL, causing the server to synchronously allocate gigabytes of memory and crash via heap exhaustion.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network (Public API)
- CVSS: 7.5 (High)
- Impact: Denial of Service (OOM)
- Platform: Node.js
- Exploit Status: Trivial / PoC Available
Affected Systems
- Node.js applications using Axios < 1.12.0
- Web scrapers
- Link preview services
- Image processing pipelines fetching remote URLs
- SSRF-vulnerable endpoints
-
axios: < 0.30.2 (Fixed in:
0.30.2) -
axios: >= 1.0.0, < 1.12.0 (Fixed in:
1.12.0)
Code Analysis
Commit: 945435f
Fix: data uri maxContentLength (security fix)
+ if (config.maxContentLength > -1) {
+ const estimated = estimateDataURLDecodedBytes(url);
+ if (estimated > config.maxContentLength) { ... }
Commit: a1b1d3f
Backport fix to 0.x branch
(Backport of logic from 945435f)
Exploit Details
- GitHub Security Advisory: Advisory containing description of the data URI vector.
Mitigation Strategies
- Upgrade Axios to version 1.12.0+ (or 0.30.2+ for legacy branches).
- Validate user-supplied URLs to ensure they use allowed protocols (e.g., allow
http/https, blockdata). - Implement process-level memory limits (
--max-old-space-size) to fail faster, though this doesn't prevent the crash.
Remediation Steps:
- Run
npm auditto identify the vulnerable dependency path. - Run
npm install axios@latestoryarn upgrade axios. - Verify the version in
package-lock.jsonis >= 1.12.0. - Review codebases for
axios.get(userInput)patterns and add protocol validation.
References
Read the full report for CVE-2025-58754 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)