axios CVE Vulnerabilities & Metrics

Focus on axios vulnerabilities and metrics.

Last updated: 16 Apr 2025, 22:25 UTC

About axios Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with axios. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total axios CVEs: 5
Earliest CVE date: 07 May 2019, 19:29 UTC
Latest CVE date: 12 Aug 2024, 13:38 UTC

Latest CVE reference: CVE-2024-39338

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical axios CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.42

Max CVSS: 7.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	2
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS axios CVEs

These are the five CVEs with the highest CVSS scores for axios, sorted by severity first and recency.

CVE-2021-3749 axios Published on 31 Aug 2021, 11:15 UTC (CVSS: 7.8)
axios is vulnerable to Inefficient Regular Expression Complexity
CVE-2019-10742 axios Published on 07 May 2019, 19:29 UTC (CVSS: 5.0)
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
CVE-2020-28168 axios Published on 06 Nov 2020, 20:15 UTC (CVSS: 4.3)
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
CVE-2024-39338 axios Published on 12 Aug 2024, 13:38 UTC (CVSS: 0)
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
CVE-2023-45857 axios Published on 08 Nov 2023, 21:15 UTC (CVSS: 0)
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

All CVEs for axios

CVE-2024-39338 axios vulnerability CVSS: 0 12 Aug 2024, 13:38 UTC

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

CVE-2023-45857 axios vulnerability CVSS: 0 08 Nov 2023, 21:15 UTC

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2021-3749 axios vulnerability CVSS: 7.8 31 Aug 2021, 11:15 UTC

axios is vulnerable to Inefficient Regular Expression Complexity

CVE-2020-28168 axios vulnerability CVSS: 4.3 06 Nov 2020, 20:15 UTC

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2019-10742 axios vulnerability CVSS: 5.0 07 May 2019, 19:29 UTC

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.