CVE-2025-58754: 
JavaScript 脆弱性の分析と軽減

A vulnerability in the Axios library (CVE-2025-58754) was discovered affecting versions prior to 1.12.0. The flaw allows attackers to crash Node.js processes by exploiting the way Axios handles data: URLs. The vulnerability was disclosed on September 11, 2025, and received a CVSS score of 7.5 (High severity) (Security Online, GitHub Advisory).

The vulnerability stems from Axios's Node http adapter's handling of data: scheme URLs. When processing such URLs, Axios decodes the entire Base64 payload into memory without enforcing size limits or performing sanity checks. Unlike HTTP responses which respect maxContentLength and maxBodyLength limits, data: URIs bypass these protections, allowing attackers to cause unbounded memory allocation. The issue specifically lies in the fromDataURI function, which decodes the entire payload into a Buffer without size verification (GitHub Advisory).

The vulnerability can lead to Denial of Service (DoS) attacks by causing Node.js processes to crash through memory exhaustion. Even if developers configure Axios with size limits, those protections are ineffective for data: URIs, allowing attackers to trigger out-of-memory conditions with crafted requests (Security Online).

The vulnerability has been patched in Axios version 1.12.0. Users are strongly encouraged to upgrade immediately. For those unable to update, the recommended mitigation strategies include enforcing size limits by inspecting Base64 payload lengths before decoding and implementing streaming Base64 decoders to process chunks incrementally (Security Online, GitHub Advisory).