All axios CVEs — Complete Vulnerability History
axios is the most popular HTTP client for JavaScript. It has had several CVEs across its version history, mostly related to SSRF, credential exposure on redirect, and prototype pollution.
npm
50M+ weekly downloads
4 CVEs total
🔴 CISA KEV
CVE history — all 4 known vulnerabilities
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-28168 | 2020 | MEDIUM | SSRF via server-side request with crafted URL | Fixed in 0.21.1 |
| CVE-2021-3749 | 2021 | HIGH | Regular expression DoS in axios headers | Fixed in 0.21.2 |
| CVE-2022-1214 | 2022 | MEDIUM | Exposure of confidential data via logs in debug mode | Fixed in 0.26.0 |
| CVE-2023-45857 | 2023 | 🔴HIGH | SSRF via protocol-relative URL — CISA KEV | Fixed in 1.6.0 |
Current safe version
✓ Update to 1.7.4
The latest safe version addresses all 4 known CVEs listed above.
Before and after
Vulnerable:
"axios": "0.21.1"
Fixed:
"axios": "1.7.4"
Then run: npm install
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is the safest version of axios to use?
1.7.4 is the latest safe version as of March 2026. Avoid anything below 1.6.0 which introduced the fix for CVE-2023-45857 (CISA KEV).
Does CVE-2023-45857 affect all axios users?
It specifically affects apps that use axios with XSRF token protection and allow user-controlled redirect targets. If you use axios with default settings and don't follow redirects to user-supplied URLs, your exposure is lower — but you should still upgrade.
Why is axios on the CISA KEV list?
CVE-2023-45857 was confirmed being exploited in server-side request forgery attacks against applications that proxy requests through axios. CISA added it to the KEV catalog because of confirmed in-the-wild exploitation.
Is there a major version migration needed?
Yes — axios 1.x has some breaking changes from 0.x. The main change is that errors now extend AxiosError instead of a plain Error. Most applications need minimal changes. The security improvement is worth it.