Bug 2394735 (CVE-2025-58754)

Summary: CVE-2025-58754 axios: Axios DoS via lack of data size check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, alcohan, anjoseph, bdettelb, bkabrda, brasmith, caswilli, chfoley, cmah, cochase, dbosanac, dfreiber, dhanak, dkuc, doconnor, dranck, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, eric.wittmann, fdeutsch, fjansen, ggrzybek, gmalinko, gparvin, haoli, hkataria, ibek, ibolton, jajackso, janstey, jburrell, jcammara, jchui, jhe, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jreimann, jrokos, jscholz, jwendell, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lphiri, mabashia, matzew, mdessi, mnovotny, mrizzi, nboldt, ngough, nipatil, njean, orabin, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcattana, pdelbell, pgaikwad, pjindal, psrna, rcernich, rhaigner, rjohnson, rkubis, rstepani, sausingh, sdawley, sdoran, sfeifer, shvarugh, simaishi, slucidi, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, tasato, teagle, tfister, thason, thavo, ttakamiy, veshanka, vkumar, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the Axios npm package. When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2394856, 2394857, 2394858, 2394859, 2394860, 2394861, 2394862, 2394863, 2394864, 2394865, 2394866, 2394867, 2394868, 2394869, 2394870, 2395838    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-12 02:01:17 UTC 
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Version 1.11.0 contains a patch for the issue.