DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-58Q2-9X27-H2JM: The Infinite Buffer: Crashing Craft CMS via Axios Data URIs

#security #cve #cybersecurity #ghsa

The Infinite Buffer: Crashing Craft CMS via Axios Data URIs

Vulnerability ID: GHSA-58Q2-9X27-H2JM
CVSS Score: 7.5
Published: 2026-01-15

A deep dive into CVE-2025-58754, where the popular Axios library's mishandling of data: URIs allows unauthenticated attackers to trigger Out-of-Memory (OOM) crashes in Solspace Freeform for Craft CMS.

TL;DR

Solspace Freeform uses a version of Axios vulnerable to DoS via data: URIs. Axios's Node.js adapter synchronously decodes these URIs into memory without checking size limits. Sending a massive Base64 string forces the server to allocate gigabytes of RAM instantly, killing the process.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (OOM)
  • Vulnerable Component: Axios http adapter
  • Exploit Status: PoC Available

Affected Systems

  • Craft CMS utilizing solspace/craft-freeform <= 4.1.29
  • Node.js applications using axios < 1.12.0
  • Server-side rendering or build tools dependent on vulnerable axios
  • solspace/craft-freeform: <= 4.1.29 (Fixed in: 4.1.30)
  • axios: < 1.12.0 (Fixed in: 1.12.0)

Code Analysis

Commit: 945435f

Axios fix implementing estimateDataURLDecodedBytes

+ import estimateDataURLDecodedBytes from '../helpers/estimateDataURLDecodedBytes.js';
+ if (estimated > config.maxContentLength) reject(...)
Enter fullscreen mode Exit fullscreen mode

Commit: e7402a1

Freeform dependency bump for axios

- "axios": "^1.7.7"
+ "axios": "^1.13.2"
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Conceptual: Constructing a large string in Node.js and passing it to a vulnerable Axios instance triggers the crash.

Mitigation Strategies

  • Upgrade solspace/craft-freeform to 4.1.30+
  • Force update axios resolution in package.json to ^1.12.0
  • Implement input validation to reject data: URIs at the application boundary

Remediation Steps:

  1. Run composer update solspace/craft-freeform to fetch version 4.1.30.
  2. Check npm list axios or yarn list axios in your build pipeline to verify the version.
  3. Restart the Node.js service/daemon to apply the changes.

References

Read the full report for GHSA-58Q2-9X27-H2JM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)