Description
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
Published: 2026-01-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data leakage due to proxy configuration exposure
Action: Patch immediately
AI Analysis

Impact

The race condition in axios4go's shared HTTP client causes the global defaultClient to be mutated without synchronization during request execution, altering the Transport, Timeout and CheckRedirect fields. In concurrent goroutine requests that supply different proxy configurations, this can cause one request to observe another request’s proxy settings, which may include authentication credentials or tokens, leading to accidental leakage of sensitive information. The flaw is a classic race condition, classified as CWE-362.

Affected Systems

All Go applications that import rezmoss/axios4go and use a version earlier than 0.6.4 are impacted. The issue specifically affects code paths that perform concurrent GetAsync, PostAsync or other async calls and provide distinct proxy settings for each request, as the shared client is mutated globally.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is high severity, but the EPSS calculation of <1% indicates a low likelihood of current exploitation. It is not listed in the CISA KEV catalog, meaning no widespread attacks have been observed. Exploitation requires an attacker who can influence concurrent goroutine requests and supply varied proxy configurations; therefore the attack vector is inferred from the concurrency behavior described in the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade axios4go to v0.6.4 or later, which removes the race condition.
  • If upgrading is not possible, avoid using the shared defaultClient for concurrent requests; instead instantiate a separate http.Client for each goroutine or each distinct proxy configuration.
  • Modify any code that modifies request proxy settings concurrently to use proper synchronization (e.g., mutexes) or to avoid shared mutable state.

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Rezmoss
Rezmoss axios4go
CPEs cpe:2.3:a:rezmoss:axios4go:*:*:*:*:*:go:*:*
Vendors & Products Rezmoss
Rezmoss axios4go
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
Title axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rezmoss Axios4go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T20:37:17.978Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21697

cve-icon Vulnrichment

Updated: 2026-01-08T20:37:12.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T23:15:50.533

Modified: 2026-03-09T13:57:52.080

Link: CVE-2026-21697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses