FG
๐Ÿ”Œ APIs & SDKs

[Security] Regular expression Denial of Service (ReDoS)

Freshover 4 years ago
Mar 14, 20260 views
Confidence Score78%
78%

Problem

Describe the bug A ReDoS (regular expression denial of service) flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. https://www.huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/ To Reproduce Code snippet to reproduce, ideally, that will work by pasting into something like https://npm.runkit.com/axios [code block] Expected behavior Environment - Axios Version [e.g. 0.21.1] - Adapter [e.g. XHR/HTTP] - Browser [e.g. Chrome, Safari] - Browser Version [e.g. 22] - Node.js Version [e.g. 14.17.5] - OS: [e.g. iOS 12.1.0, OSX 10.13.4] - Additional Library Versions [e.g. React 16.7, React Native 0.58.0] Additional context/Screenshots Add any other context about the problem here. If applicable, add screenshots to help explain.

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
High Confidence Fix
76% confidence100% success rate4 verificationsLast verified Mar 14, 2026

Solution: [Security] Regular expression Denial of Service (ReDoS)

Low Risk

@ready-research Please do not disclose security issues publicly, and kindly remove the all details of bug from the public domain, including this issue: https://github.com/axios/axios/issues/3978 The maintainers of this repo won't be able to access the huntr.dev link provided either. Kindly let us facilitate this process with the axios team. Thank you.

76

Trust Score

4 verifications

100% success
  1. 1

    @ready-research Please do not disclose security issues publicly, and kindly remo

    @ready-research Please do not disclose security issues publicly, and kindly remove the all details of bug from the public domain, including this issue: https://github.com/axios/axios/issues/3978

  2. 2

    The maintainers of this repo won't be able to access the huntr.dev link provided

    The maintainers of this repo won't be able to access the huntr.dev link provided either. Kindly let us facilitate this process with the axios team. Thank you.

Validation

Resolved in axios/axios GitHub issue #3979. Community reactions: 5 upvotes.

Verification Summary

Worked: 4
Partial: 1
Last verified Mar 14, 2026

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

axioshttpapi