CVE-2025-58754: 
JavaScript vulnerability analysis and mitigation

A vulnerability in Axios (CVE-2025-58754) was discovered affecting versions prior to 1.11.0. The vulnerability occurs when Axios runs on Node.js and processes URLs with the data: scheme, where it decodes the entire payload into memory without enforcing size limits. This vulnerability was discovered in September 2025 and received a CVSS score of 7.5 (High) (GitHub Advisory).

The vulnerability exists in the Node adapter (lib/adapters/http.js) where Axios supports the data: scheme. When processing such URLs, instead of performing an HTTP request, it calls fromDataURI() to decode the Base64 payload into a Buffer or Blob. The critical issue is that this decoder processes the entire Base64 payload into a Buffer without any size limits or sanity checks, bypassing the configured maxContentLength and maxBodyLength limits that normally protect HTTP streams (Security Online, GitHub Advisory).

The vulnerability can lead to a Denial of Service (DoS) condition through unbounded memory allocation. An attacker can supply a very large data: URI that causes the Node.js process to allocate excessive memory and crash, even when responseType: 'stream' is specified. This affects applications using Axios for processing URLs, particularly those that accept user-controlled input (GitHub Advisory).

The vulnerability has been patched in Axios version 1.12.0. Users are strongly encouraged to upgrade immediately. For those unable to upgrade, the recommended mitigation strategies include enforcing size limits by inspecting the length of Base64 payloads before decoding and implementing stream decoding to process chunks incrementally, allowing early aborts if the data grows too large. Additionally, developers should avoid processing untrusted data: URIs and ensure Axios is not exposed to attacker-controlled input in sensitive environments (Security Online).