CVE-2026-39865 | Axios up to 1.13.1 lib/adapters/http.js Http2Sessions.getSession resource consumption

VDB-356249 · CVE-2026-39865 · GCVE-0-2026-39865 AXIOS UP TO 1.13.1 LIB/ADAPTERS/HTTP.JS HTTP2SESSIONS.GETSESSION RESOURCE CONSUMPTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 4.7 $0-$5k 0.75+ Summaryinfo A vulnerability was found in Axios up to 1.13.1. It has been classified as problematic. This vulnerability affects the function Http2Sessions.getSession in the library lib/adapters/http.js. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2026-39865. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended. Detailsinfo A vulnerability, which was classified as problematic, has been found in Axios up to 1.13.1. This issue affects the function Http2Sessions.getSession in the library lib/adapters/http.js. The manipulation with an unknown input leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-39865 since 04/07/2026. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1499 for this issue. Upgrading to version 1.13.2 eliminates this vulnerability. Productinfo Name Axios Version 1.13.0 1.13.1 Website Product: https://github.com/axios/axios/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 4.8 VulDB Meta Temp Score: 4.7 VulDB Base Score: 3.7 VulDB Temp Score: 3.6 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 5.9 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Resource consumption CWE: CWE-400 / CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Axios 1.13.2 Timelineinfo 04/07/2026 CVE reserved 04/08/2026 +1 days Advisory disclosed 04/08/2026 +0 days VulDB entry created 04/08/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-39865 (🔒) GCVE (CVE): GCVE-0-2026-39865 GCVE (VulDB): GCVE-100-356249 Entryinfo Created: 04/08/2026 17:20 Changes: 04/08/2026 17:20 (64) Complete: 🔍 Cache ID: 99:F63:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸