DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39865: CVE-2026-39865: Denial of Service via Array State Corruption in Axios HTTP/2 Session Cleanup

#security #cve #cybersecurity

CVE-2026-39865: Denial of Service via Array State Corruption in Axios HTTP/2 Session Cleanup

Vulnerability ID: CVE-2026-39865
CVSS Score: 5.9
Published: 2026-04-08

Axios versions prior to 1.13.2 contain a state corruption vulnerability in the HTTP/2 session cleanup routine. The improper handling of array mutations during backwards iteration allows a malicious HTTP/2 server to crash the Node.js process by terminating multiple sessions concurrently.

TL;DR

A bug in the Axios HTTP/2 session cleanup code (lib/adapters/http.js) causes an unhandled TypeError when mutating a session array during iteration. Malicious servers can trigger this via concurrent session closures, leading to an application crash (DoS). Fixed in version 1.13.2.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 / CWE-662
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.9 (Medium)
  • Impact: Denial of Service (Process Crash)
  • Exploit Status: Proof of Concept
  • CISA KEV: Not Listed

Affected Systems

  • Axios HTTP client for Node.js (< 1.13.2)
  • Axios: < 1.13.2 (Fixed in: 1.13.2)

Code Analysis

Commit: 12c314b

Primary fix: Immediate early loop exit preventing array mutation bugs.

@@ -120,6 +120,7 @@
           } else {
             entries.splice(i, 1);
           }
+          return;
         }
       }
Enter fullscreen mode Exit fullscreen mode

Commit: 0588880

Support Fix: Module exports corrections.

Module export fixes related to the core codebase.
Enter fullscreen mode Exit fullscreen mode

Commit: 08b84b5

Release commit for v1.13.2

Version bump and changelog generation for 1.13.2.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Axios dependency to version 1.13.2 or higher.
  • Disable HTTP/2 support in the Axios client configuration to force HTTP/1.1 downgrade.
  • Deploy the application utilizing a robust process manager configured to auto-restart upon crash.

Remediation Steps:

  1. Identify the current Axios version in the project by running npm ls axios.
  2. Update the package.json dependency to specifically require ^1.13.2.
  3. Run npm install or yarn install to update the lockfile and download the patched version.
  4. Execute the application test suite to verify no regressions in HTTP client behavior.
  5. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-39865 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)