CVE-2026-39865
Denial of Service vulnerability in axios (npm)
What is CVE-2026-39865 About?
This vulnerability in Axios HTTP/2 session cleanup logic allows a malicious server to crash the client process. A state corruption bug enables concurrent session closures to trigger a denial of service in Axios versions prior to 1.13.2. Exploitation requires careful timing and an attacker-controlled HTTP/2 server.
Affected Software
Technical Details
The vulnerability exists in the Http2Sessions.getSession() method within lib/adapters/http.js in Axios. The session cleanup logic contains a control flow error when removing sessions from the entries array. Specifically, after entries.splice(i, 1) is called to remove a session, the iteration while (i--) continues. If len is not 1 (meaning there are multiple entries in the array), the loop continues iterating over an array that has just been modified by splice, potentially causing shifted array indices to be accessed incorrectly. A malicious HTTP/2 server can exploit this by establishing multiple concurrent sessions with an Axios client and then closing all of them simultaneously with precise timing. This concurrent closure triggers the buggy cleanup logic, leading to state corruption and ultimately crashing the client process, resulting in a denial-of-service (DoS).
What is the Impact of CVE-2026-39865?
Successful exploitation may allow attackers to crash the Axios client process, leading to a complete loss of availability for applications using the vulnerable Axios library when connecting to a malicious or compromised HTTP/2 server.
What is the Exploitability of CVE-2026-39865?
Exploitation of this vulnerability is of high complexity, requiring an attacker to operate a malicious HTTP/2 server and precisely time the closure of multiple concurrent HTTP/2 sessions. The Axios client must have HTTP/2 enabled and be configured to connect to the attacker-controlled server. No authentication is required for the attacker on the client side, as the vulnerability is in the client's handling of server responses. No specific privileges are needed on the attacked client system. This is a remote attack. Prerequisite conditions include the client using Axios with HTTP/2 enabled, connecting to an untrusted server, and establishing multiple concurrent HTTP/2 sessions. The precision in timing required for concurrent session closures makes successful exploitation more challenging.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-39865?
Available Upgrade Options
- axios
- <1.13.2 → Upgrade to 1.13.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8
- https://github.com/axios/axios
- https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8
- https://github.com/axios/axios/releases/tag/v1.13.2
- https://nvd.nist.gov/vuln/detail/CVE-2026-39865
- https://osv.dev/vulnerability/GHSA-qj83-cq47-w5f8
What are Similar Vulnerabilities to CVE-2026-39865?
Similar Vulnerabilities: CVE-2023-46237 , CVE-2023-46604 , CVE-2024-21657 , CVE-2024-2826 , CVE-2023-38408
