CVE-2026-39865

CVE-2026-39865 is a medium-severity uncontrolled resource consumption vulnerability in axios (npm), affecting versions >= 1.13.0, < 1.13.2. It is fixed in 1.13.2.

Summary

Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.

Details

The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array.

Vulnerable Code:

while (i--) {
  if (entries[i][0] === session) {
    entries.splice(i, 1);
    if (len === 1) {
      delete this.sessions[authority];
      return;
    }
  }
}

Root Cause:
After calling entries.splice(i, 1) to remove a session, the original code only returned early if len === 1. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.

Fixed Code:

while (i--) {
  if (entries[i][0] === session) {
    if (len === 1) {
      delete this.sessions[authority];
    } else {
      entries.splice(i, 1);
    }
    return;
  }
}

The fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.

Affected Component:

  • lib/adapters/http.js - Http2Sessions class, session cleanup in connection close handler

PoC

  1. Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client
  2. Establish multiple concurrent HTTP/2 sessions with the axios client
  3. Close all sessions simultaneously with precise timing
  4. The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently
  5. This causes the client to access invalid memory locations, resulting in a process crash

Prerequisites:

  • Client must use axios with HTTP/2 enabled
  • Client must connect to attacker-controlled HTTP/2 server
  • Multiple concurrent HTTP/2 sessions must be established
  • Server must close all sessions simultaneously with precise timing

Impact

Who is impacted:

  • Applications using axios with HTTP/2 enabled
  • Applications connecting to untrusted or attacker-controlled HTTP/2 servers
  • Node.js applications using axios for HTTP/2 requests

Impact Details:

  • Denial of Service: Malicious server can crash the axios client process by accepting and closing multiple concurrent HTTP/2 connections simultaneously
  • Availability Impact: Complete loss of availability for the client process through crash (though service may auto-restart)
  • Scope: Impact is limited to the single client process making the requests; does not escape to affect other components or systems
  • No Confidentiality or Integrity Impact: Vulnerability only causes process crash, no information disclosure or data modification

CVSS Score: 5.9 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE Classifications:

  • CWE-400: Uncontrolled Resource Consumption
  • CWE-662: Improper Synchronization

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

CVE-2026-39865 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.13.2); upgrading removes the vulnerable code path.

Affected versions

axios (>= 1.13.0, < 1.13.2)

Security releases

axios → 1.13.2 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade axios to 1.13.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-39865? CVE-2026-39865 is a medium-severity uncontrolled resource consumption vulnerability in axios (npm), affecting versions >= 1.13.0, < 1.13.2. It is fixed in 1.13.2. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. How severe is CVE-2026-39865? CVE-2026-39865 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of axios are affected by CVE-2026-39865? axios (npm) versions >= 1.13.0, < 1.13.2 is affected.
  4. Is there a fix for CVE-2026-39865? Yes. CVE-2026-39865 is fixed in 1.13.2. Upgrade to this version or later.
  5. Is CVE-2026-39865 exploitable, and should I be worried? Whether CVE-2026-39865 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-39865 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-39865? Upgrade axios to 1.13.2 or later.

Other vulnerabilities in axios

CVE-2026-44496CVE-2026-44488CVE-2026-44487CVE-2026-44486CVE-2026-44495

Stop the waste.
Protect your environment with Kodem.