Axios, a promise‑based HTTP client used in browsers and Node.js, is affected by a Regular Expression Denial of Service vulnerability in all releases older than 0.32.0 on the 0.x branch and older than 1.16.0 on the 1.x branch. The flaw emerges because Axios composes a regular expression from the configured XSRF cookie name without escaping any regex metacharacters. When an attacker can influence the cookie name that Axios reads from document.cookie, the resulting regex can trigger catastrophic backtracking, causing the browser tab to freeze while a request is being prepared. This impact is limited to environments that parse document.cookie—Node.js adapters, React Native, or web workers are not affected. The issue is mitigated by applying the latest patches: upgrade to 0.32.0 or later on the 0.x line, or 1.16.0 or later on the 1.x line.

Affected vendors and products include axios:axios. Clients using the axios HTTP client are impacted if they run any 0.x version older than 0.32.0 or any 1.x version older than 1.16.0. These versions are present in many front‑end web applications that rely on Axios for HTTP requests. The vulnerability is fixed in 0.32.0 and 1.16.0.

With a CVSS score of 7.5, the vulnerability represents a moderate‑to‑high severity risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The attack vector is client‑side: an attacker must control or influence a cookie name that Axios reads from document.cookie, which is realistic for sites that accept arbitrary cookie names from third‑party resources or rely on insecure cookie handling. Successful exploitation would lead to denial of service for the affected browser session but does not provide confidentiality or integrity compromise. Because the issue is limited to browser environments that read document.cookie, Node.js server environments are not at risk.