Description
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via client crash
Action: Immediate Patch
AI Analysis

Impact

Axios version 1.13.0‑1.13.1 contains a control flow bug in the HTTP/2 session cleanup code. When a malicious server triggers concurrent session closures, the client can corrupt internal state and crash, resulting in denial of service. The weakness involves improper handling of the sessions array, potentially leading to invalid memory access. This aligns with the weaknesses identified by CWE‑367, CWE‑400 and CWE‑662.

Affected Systems

The affected product is Axios, the promise‑based HTTP client for browsers and Node.js, with vendors axios:axios. Affected versions are 1.13.0 through 1.13.1, inclusive. Versions 1.13.2 and later are not vulnerable.

Risk and Exploitability

The vulnerability receives a CVSS score of 5.9, indicating moderate severity. The EPSS score is below 1 %, and the flaw is not listed in the CISA KEV catalog, implying that widespread exploitation is currently unlikely. The likely attack vector is a malicious server that initiates HTTP/2 requests causing concurrent session cleanup; triggering this vulnerability would require the client to establish multiple connections with a server that intentionally closes sessions in parallel. While the conditions for exploitation are specific, a crash can interrupt services and potentially lead to broader denial‑of‑service scenarios if the client is critical to application availability.

Generated by OpenCVE AI on April 13, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.13.2 or newer.

Generated by OpenCVE AI on April 13, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qj83-cq47-w5f8 Axios HTTP/2 Session Cleanup State Corruption Vulnerability
History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2. Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
Title Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Weaknesses CWE-400
CWE-662
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T17:00:06.795Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39865

cve-icon Vulnrichment

Updated: 2026-04-08T16:05:50.934Z

cve-icon NVD

Status : Modified

Published: 2026-04-08T15:16:16.210

Modified: 2026-04-27T17:16:43.350

Link: CVE-2026-39865

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T14:25:27Z

Links: CVE-2026-39865 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:15Z

Weaknesses