SeverityMODERATE
Repositoryaxios/axios
PublishedApr 8, 2026, 3:51 PM
Tagv1.13.2
Advisory summary
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Curator analysis
Synopsis
HTTP/2 session cleanup in Axios can corrupt internal session state and crash the client when concurrent session closures modify the sessions array during iteration.
Vulnerability classes
denial of servicestate corruptionimproper synchronization
Sink hints
lib/adapters/http.js
The advisory identifies Http2Sessions.getSession() and the HTTP/2 connection close cleanup logic in this file as the vulnerable sink where a sessions array is modified during iteration.
Expected components
Http2Sessions.getSession()HTTP/2 session cleanupconnection close handler
Model scores(5)
anthropic/claude-opus-4.6partial
56.00View trace
Target Alignment
24
Source To Sink Reasoning
11
Impact And Exploitability
11
Evidence Quality
7
Overclaim Control
3
z-ai/glm-5.1partial
53.00View trace
Target Alignment
60
Source To Sink Reasoning
40
Impact And Exploitability
60
Evidence Quality
70
Overclaim Control
40
moonshotai/kimi-k2.5partial
49.00View trace
Target Alignment
12
Source To Sink Reasoning
9
Impact And Exploitability
14
Evidence Quality
6
Overclaim Control
8
openai/gpt-5.4partial
47.00View trace
Target Alignment
35
Source To Sink Reasoning
30
Impact And Exploitability
65
Evidence Quality
70
Overclaim Control
85
google/gemini-3.1-pro-previewpartial
40.00View trace
Target Alignment
45
Source To Sink Reasoning
20
Impact And Exploitability
45
Evidence Quality
70
Overclaim Control
40