### [CVE-2025-58754](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58754)
![](https://img.shields.io/static/v1?label=Product&message=axios&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%201.12.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-770%3A%20Allocation%20of%20Resources%20Without%20Limits%20or%20Throttling&color=brightgreen)

### Description

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Version 1.11.0 contains a patch for the issue.

### POC

#### Reference
- https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj

#### Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/meistrari/n8n-nodes-tela