QwikSec

Security Database

CVE

CWE

Training

CVE-2026-39865

Published: Apr 8, 2026

Modified: Apr 27, 2026

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Vendor	Product	Versions
axios	axios	affected `>= 1.13.0, < 1.13.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8

x_refsource_CONFIRM

https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5

x_refsource_MISC

https://github.com/axios/axios/releases/tag/v1.13.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.