CVE-2026-39865 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-39865

CVE-2026-39865

Published:April 08, 2026

Updated:April 10, 2026

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.

Affected Packages

axios (NPM):

Affected version(s) >=0.1.0 <1.13.2

Fix Suggestion:

Update to version 1.13.2

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-39865

https://github.com/axios/axios/releases/tag/v1.13.2

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8

https://github.com/axios/axios

Do you need more information?

CVSS v4

Base Score:

8.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Improper Synchronization

CWE-662

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools