What is CVE-2026-39865?

CVE-2026-39865 is a medium-severity vulnerability in Axios, classified under Uncontrolled Resource Consumption. CVSS score: 5.9/10. Published 2026-04-08.

How severe is CVE-2026-39865?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Resource exhaustion in Axios

CVE-2026-39865

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (6.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Axios — versions >= 1.13.0, < 1.13.2

Weakness classification (CWE)

References

https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8 (x_refsource_CONFIRM)
https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5 (x_refsource_MISC)
https://github.com/axios/axios/releases/tag/v1.13.2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39865?: CVE-2026-39865 is a medium-severity vulnerability in Axios, classified under Uncontrolled Resource Consumption. CVSS score: 5.9/10. Published 2026-04-08.
How severe is CVE-2026-39865?: Medium severity. CVSS v3 base score is 5.9 out of 10.