{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39865", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.379Z", "datePublished": "2026-04-08T14:25:27.865Z", "dateUpdated": "2026-04-08T16:05:53.792Z"}, "containers": {"cna": {"title": "Axios HTTP/2 Session Cleanup State Corruption Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-662", "lang": "en", "description": "CWE-662: Improper Synchronization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"}], "affected": [{"vendor": "axios", "product": "axios", "versions": [{"version": "< 1.13.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:25:27.865Z"}, "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2."}], "source": {"advisory": "GHSA-qj83-cq47-w5f8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:05:44.694147Z", "id": "CVE-2026-39865", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:05:53.792Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39865", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:05:44.694147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:05:50.934Z"}}], "cna": {"title": "Axios HTTP/2 Session Cleanup State Corruption Vulnerability", "source": {"advisory": "GHSA-qj83-cq47-w5f8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "axios", "product": "axios", "versions": [{"status": "affected", "version": "< 1.13.2"}]}], "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8", "name": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-662", "description": "CWE-662: Improper Synchronization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:25:27.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39865", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:05:53.792Z", "dateReserved": "2026-04-07T19:13:20.379Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:25:27.865Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2."}], "id": "CVE-2026-39865", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T15:16:16.210", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-662"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "axios", "source": "cna", "vendor": "axios"}, "product": "axios", "vendor": "axios"}], "analysis": {"en": {"generated_at": "2026-04-08T16:24:01.597306+00:00", "value": {"mitigation_remediation": ["Upgrade Axios to version 1.13.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Application Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The Axios JavaScript HTTP client, versions prior to 1.13.2, is affected. All releases before the fix in 1.13.2 harbor the vulnerability, regardless of the environment (browser or Node.js).", "description_and_impact": "A state corruption bug in the HTTP/2 session cleanup logic of the Axios HTTP client allows a malicious server to crash the client process by forcing concurrent session closures. The flaw originates from incorrect control flow when removing sessions from the internal array, which can terminate the running process and interrupt all HTTP requests. The impact is limited to denial of service; the vulnerability does not provide direct access to data or control over the system.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a medium severity. The Exploit Prediction Scoring System (EPSS) score is not available, making the precise likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to control a remote server that the Axios client contacts; the attack vector is likely remote network interaction, and it does not require elevated privileges or user interaction beyond accessing the compromised server."}}}}, "created": "2026-04-08T19:26:58.780939+00:00", "updated": "2026-04-08T19:39:23.835622+00:00", "vendors": ["axios", "axios$PRODUCT$axios"]}