CVE-2026-44496: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-44496 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Axios HTTP client library (npm package) that allows an attacker who can influence the XSRF cookie name configuration to trigger catastrophic regex backtracking in standard browser environments. It affects Axios versions <= 0.31.1 on the 0.x line and >= 1.0.0, < 1.16.0 on the 1.x line. The vulnerability was published by maintainer jasonsaayman on May 30, 2026, and added to the GitHub Advisory Database on June 4, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Axios Security Advisory).

The root cause is in lib/helpers/cookies.js (read(name) function), which constructs a RegExp object by directly concatenating the unsanitized name parameter: document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)')). Because regex metacharacters in name are never escaped, an attacker can inject patterns with nested quantifiers (e.g., (.+)+$) that cause exponential backtracking against the contents of document.cookie (CWE-1333, CWE-400). The vulnerable code path is reached via lib/helpers/resolveConfig.js (1.x) and lib/adapters/xhr.js (0.x) when the XHR/fetch adapters resolve the XSRF cookie name from configuration — which can be influenced through prototype pollution or direct configuration injection. The issue is strictly limited to standard browser environments where document.cookie is accessible; Node.js HTTP adapter usage, React Native, and web workers are unaffected (GitHub Advisory, Axios Security Advisory).

The impact is limited to availability only — the vulnerability does not expose credentials, modify requests, or affect response integrity. A successful exploit causes the JavaScript event loop to stall, freezing the affected browser tab and blocking all pending asynchronous operations, timers, and I/O callbacks for the duration of the regex evaluation. In Server-Side Rendering (SSR) scenarios where the vulnerable code path is reachable, the Node.js event loop could be blocked, rendering the server unresponsive. PoC benchmarks demonstrate exponential growth: a 26-character payload produces ~1,344 ms of CPU consumption, and a 30-character payload extrapolates to over 5 minutes (GitHub Advisory).

Upgrade to Axios 0.32.0 (0.x line) or Axios 1.16.0 (1.x line), which replace dynamic regex construction with string-based cookie parsing using exact string equality comparisons (Axios v0.32.0 Release, Axios v1.16.0 Release). If immediate upgrade is not possible, apply one or more of the following workarounds:

• Set xsrfCookieName: null in Axios configuration if XSRF cookie reading is not required.
• Never derive xsrfCookieName from untrusted or user-controlled input.
• If a dynamic cookie name is unavoidable, validate it against a strict allowlist of safe cookie-name characters before passing it to Axios.
• Avoid calling axios/unsafe/helpers/cookies.js directly with untrusted input (Axios Security Advisory).