axios Supply Chain Attack (March 2026) + Complete CVE History

Last updated: April 1, 2026 · Data: OSV Database

axios is the most popular HTTP client for JavaScript. It has had several CVEs across its version history, mostly related to SSRF, credential exposure on redirect, and prototype pollution.

npm 50M+ weekly downloads 4 CVEs total 🔴 CISA KEV

CVE history — all 4 known vulnerabilities

🔴 1 CVE on CISA KEV — actively exploited in real attacks

CVE ID	Year	Severity	Description	Fix
CVE-2020-28168	2020	MEDIUM	SSRF via server-side request with crafted URL	Fixed in 0.21.1
CVE-2021-3749	2021	HIGH	Regular expression DoS in axios headers	Fixed in 0.21.2
CVE-2022-1214	2022	MEDIUM	Exposure of confidential data via logs in debug mode	Fixed in 0.26.0
CVE-2023-45857	2023	🔴HIGH	SSRF via protocol-relative URL — CISA KEV	Fixed in 1.6.0

Current safe version

✓ Update to 1.7.4

The latest safe version addresses all 4 known CVEs listed above.

Before and after

Vulnerable:

"axios": "0.21.1"

Fixed:

"axios": "1.7.4"

Then run: npm install

Which packages pull in axios?

axios appears as a transitive dependency in many popular frameworks and SDKs:

Package	Downloads	Why
`@octokit/rest`	varies	GitHub API client — uses axios for HTTP
`firebase`	varies	Some Firebase packages use axios internally
`stripe`	varies	Stripe SDK HTTP requests
`twilio`	varies	Twilio SDK — uses axios for API calls

If axios is transitive and you installed axios@1.14.1 between March 31 00:21–03:30 UTC, assume compromise. Force safe version:

axios 0.x to 1.x breaking changes

axios 1.0 introduced several breaking changes from the 0.x series. These are the changes that affect most projects migrating from 0.x to 1.x:

Change	0.x	1.x
TypeScript types	Separate @types/axios	Built-in — remove @tes/axios
Error handling	axios.isAxiosError() untyped	Fully typed AxiosError
FormData	Manual serialization	Automatic serialization
ESM support	CommonJS only	ESM + CommonJS dual package

# Remove old types package if present
npm uninstall @types/axios

# Install safe axios version
npm install axios@1.7.4

# Verify
npm list axios

Paste your manifest — see your exact installed version against this full CVE list.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

What is the safest version of axios to use?

1.7.4 is the latest safe version as of March 2026. Avoid anything below 1.6.0 which introduced the fix for CVE-2023-45857 (CISA KEV).

Does CVE-2023-45857 affect all axios users?

It specifically affects apps that use axios with XSRF token protection and allow user-controlled redirect targets. If you use axios with default settings and don't follow redirects to user-supplied URLs, your exposure is lower — but you should still upgrade.

Why is axios on the CISA KEV list?

CVE-2023-45857 was confirmed being exploited in server-side request forgery attacks against applications that proxy requests through axios. CISA added it to the KEV catalog because of confirmed in-the-wild exploitation.

Is there a major version migration needed?

Yes — axios 1.x has some breaking changes from 0.x. The main change is that errors now extend AxiosError instead of a plain Error. Most applications need minimal changes. The security improvement is worth it.