7.5

CVE-2026-44496

Exploit

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AxiosAxios SwPlatformnode.js Version < 0.32.0
AxiosAxios SwPlatformnode.js Version >= 1.0.0 < 1.16.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.65% 0.463
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

https://bugzilla.redhat.com/show_bug.cgi?id=2487943
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44496.json
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:33155
https://access.redhat.com/errata/RHSA-2026:33160
https://access.redhat.com/errata/RHSA-2026:33163
https://access.redhat.com/errata/RHSA-2026:33173
https://access.redhat.com/errata/RHSA-2026:33183
https://access.redhat.com/errata/RHSA-2026:30650
https://access.redhat.com/errata/RHSA-2026:27044
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:28571
https://access.redhat.com/errata/RHSA-2026:30076
https://access.redhat.com/errata/RHSA-2026:33683
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:34766
https://access.redhat.com/errata/RHSA-2026:36754
https://access.redhat.com/errata/RHSA-2026:36883
https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/security/cve/CVE-2026-44496