Axios Versions, CVEs, and Safe Upgrade Path (Updated April 2026)

Axios is the most widely used HTTP client in the JavaScript ecosystem. As of April 2026, the package averages roughly 100 million weekly downloads on npm (about 407 million per month) and ships in a substantial portion of all Node.js production applications, often as a transitive dependency pulled in through SDKs, CLIs, and framework integrations. More than 135 versions have been published since the first release in August 2014.

Unlike Angular, Node.js, or .NET, Axios does not publish a formal LTS or end-of-life schedule. Patches land on the latest minor release, with occasional security backports to the 0.x line. That model leaves many enterprise applications running known-vulnerable Axios versions long after a fix exists, especially when the package is locked by a parent dependency that has not been updated.

This page is a complete, versioned reference for every Axios release, the CVEs that affect each one, and the safe upgrade target for production code. Release dates are pulled directly from the npm registry. Vulnerability data is from the OSV.dev advisory database and GitHub Security Advisories.

‍

How Axios Versioning and Releases Work

Axios follows semantic versioning, with two parallel maintained branches:

• 1.x (latest dist-tag). All new features and the majority of patches ship here. The current release is 1.15.1, published April 19, 2026.
• 0.x (legacy dist-tag). Still actively patched. Recent security backports have shipped as 0.30.x and 0.31.x releases. The latest 0.x release is 0.31.1, also from April 19, 2026.

There is no LTS. There is no formal maintenance window per minor version. When a vulnerability is disclosed, the maintainers patch the latest minor release (and sometimes the 0.x branch). Everyone on an older minor is expected to upgrade.

In practice this means three things for production applications:

1. Every Axios 1.x CVE disclosed since 1.0.0 affects every prior 1.x version up to the patch, unless explicitly noted. There is no "your old minor still gets fixes" path.
2. Pinning to an old Axios minor freezes you against multiple known vulnerabilities, not just one.
3. The 0.x branch is one of the only legacy JS libraries still receiving security backports years after its successor shipped. Teams running 0.27.x or 0.28.x often do not realize a current 0.31.x patch line exists.

‍

Current Axios Version

‍

Both lines received simultaneous patches on April 19, 2026, addressing the most recent CVE cluster. If you are pinned anywhere below these versions, see the CVE table below to determine your exposure.

‍

Complete Axios Version History

The table below lists every minor and significant patch release. Dates are from the npm registry. Versions in bold are still receiving security patches as of April 2026. Versions marked as exposed have one or more known unpatched CVEs.

‍

Axios 1.x Releases

‍

(In the table above, "+" means the listed CVE is in addition to all CVEs listed for newer rows. Anything older than 1.15.1 has at least the two unpatched CVEs from the 1.15.0 patch cluster.)

‍

‍

(In the table above, "+" means the listed CVE is in addition to all CVEs listed for newer rows. Anything older than 1.15.1 has at least the two unpatched CVEs from the 1.15.0 patch cluster.)

‍

Axios 0.x Releases (Legacy Branch)

‍

If you are on a 0.x version older than 0.31.1, you have known CVE exposure. Even if you stay on the 0.x line for compatibility reasons, upgrading within 0.x (to 0.31.1) is safe and addresses every advisory currently fixed upstream.

‍

Axios 1.15.0 (npm Release April 2026)

1.15.0 was published to npm on April 8, 2026, and is the cutoff for two simultaneously disclosed advisories:

• CVE-2025-62718 ("NO_PROXY Hostname Normalization Bypass Leads to SSRF"). MODERATE. The Axios proxy logic did not normalize hostname casing or trailing dots before checking the NO_PROXY allowlist, allowing an attacker who controlled the request URL to bypass proxy controls and trigger a server-side request forgery against internal infrastructure. Affects all 1.x and 0.x versions up to but not including 1.15.0 and 0.31.0.
• CVE-2026-40175 ("Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"). MODERATE. A header injection chain in the Axios redirect handler could be combined with cloud provider metadata services (AWS IMDSv1, GCP metadata, Azure IMDS) to exfiltrate credentials from compromised servers. Affects all 1.x and 0.x versions up to but not including 1.15.0 and 0.31.0.

1.15.1, released eleven days later on April 19, 2026, is a follow-up patch release with no security implications beyond the 1.15.0 fixes.

If you are on any Axios version below 1.15.0 and your application makes outbound requests with a NO_PROXY configuration, follows redirects, or runs in a cloud environment with a metadata service, both CVEs are exploitable in your environment. Upgrade to 1.15.1 (or 0.31.1 if you are on the legacy branch).

‍

Axios 1.14.1

Released March 31, 2026. A patch release that landed alongside the discovery of a malicious package incident in the npm ecosystem (MAL-2026-2307, advisory GHSA-fw8c-xr5c-95f9) targeting Axios users via a compromised dependency. 1.14.1 itself is not the malicious package, but the timing is worth noting because supply chain alerts from npm audit at this time are likely to reference both the legitimate 1.14.1 release and the malicious typosquat that surfaced the same day.

1.14.1 does not include the fixes for CVE-2025-62718 or CVE-2026-40175. Anyone pinned to 1.14.1 should upgrade to 1.15.1.

‍

Axios 1.14.0

Released March 27, 2026. The 1.14 minor introduced internal refactoring for the proxy resolution code path, which was the area later identified as vulnerable in CVE-2025-62718. As with 1.14.1, this version is exposed to the two April 2026 CVEs and should be upgraded.

‍

Axios 1.13.x

The 1.13 series shipped from October 2025 through February 2026 and includes its own short-lived security incidents:

• CVE-2026-39865 ("HTTP/2 Session Cleanup State Corruption"). MODERATE. Affected 1.13.0 and 1.13.1 only, fixed in 1.13.2. A race condition in HTTP/2 session cleanup could cause Axios to reuse a corrupted session, leading to availability issues under load.
• CVE-2026-25639 ("DoS via __proto__ Key in mergeConfig"). HIGH. Affected all 1.x versions from 1.0.0 through 1.13.4, fixed in 1.13.5. A maliciously crafted config object passed to mergeConfig could trigger prototype pollution leading to a denial of service. Backported to the 0.x branch as 0.30.3.

If you are on any 1.13.x version below 1.13.5, you carry CVE-2026-25639 in addition to the two April 2026 CVEs.

‍

Axios 1.12.x and 1.11.x

These versions, released between June and September 2025, are the cutoff for CVE-2025-58754 ("DoS attack through lack of data size check"). HIGH severity. The Axios response handler did not enforce a maximum size on incoming data, allowing a malicious or compromised endpoint to exhaust server memory by streaming an oversized response. Fixed in 1.12.0 and backported to 0.30.2. Anything below 1.12.0 is exposed.

‍

Axios 1.10.x and 1.9.x

The 1.9 and 1.10 minors (April and June 2025) added incremental features and bug fixes but no security patches of their own. Their CVE exposure is identical to 1.8.x: vulnerable to CVE-2025-58754 and every later CVE. Upgrade to 1.15.1.

‍

Axios 1.8.x

Released February through March 2025. The 1.8 series resolved CVE-2025-27152 ("SSRF and Credential Leakage via Absolute URL"). HIGH severity. When a request was made with a relative URL, certain combinations of baseURL configuration could cause Axios to resolve to a different absolute URL than intended, potentially leaking auth headers to an attacker-controlled host. Fixed in 1.8.2. Backported to the 0.x branch as 0.30.0.

1.8.0 and 1.8.1 are exposed to CVE-2025-27152. Use 1.8.2 or later within the 1.8 line, but upgrading further is strongly recommended given the additional CVEs disclosed since.

‍

Axios 1.7.0 Release Notes

1.7.0 shipped on May 19, 2024, after three beta releases in April and May. It was the headline minor release of 2024, introducing several internal refactors and stricter handling of request configurations.

Security context for 1.7.0: This version is exposed to CVE-2024-39338 ("Server-Side Request Forgery in axios"). HIGH severity. The vulnerability affects all versions from 1.3.2 through 1.7.3 and was fixed in 1.7.4 (released August 13, 2024). The flaw allowed attackers to coerce Axios into making requests to absolute URLs that originated from path-relative inputs, enabling SSRF against internal services.

Anyone running 1.7.0, 1.7.1, 1.7.2, or 1.7.3 should upgrade. The minimum safe version within the 1.7 line is 1.7.4. The currently recommended version is 1.15.1. Beyond CVE-2024-39338, every CVE listed for the 1.8.x through 1.15.x rows in the table above also applies to 1.7.x.

‍

Axios 1.6.5 Release Notes

1.6.5 shipped on January 5, 2024, two days after 1.6.4. It was a patch release in the 1.6 series, which began with 1.6.0 on October 26, 2023, the version that introduced the fix for CVE-2023-45857 ("Cross-Site Request Forgery Vulnerability"). MODERATE severity. The XSRF token cookie was being sent in the X-XSRF-TOKEN header on cross-origin requests, exposing it to third-party sites.

Security context for 1.6.5: This version is exposed to CVE-2024-39338 (the SSRF described above), since the vulnerable code was introduced in 1.3.2 and persisted through 1.7.3. It also predates every CVE disclosed in 2025 and 2026.

The minimum safe upgrade target if you must stay close to 1.6.x is 1.6.8 (March 2024), but that version is still exposed to CVE-2024-39338 because the SSRF fix did not land until 1.7.4. The recommended upgrade is to 1.15.1.

‍

Axios 1.0 to 1.5

1.0.0 was published October 4, 2022, after 18 months of pre-release development from 1.0.0-alpha.1. The 1.x line introduced TypeScript types as a first-class export, dropped support for Node.js below v14, and removed the legacy default exports. Versions 1.0.0 through 1.5.1 are all exposed to CVE-2023-45857 (CSRF token leak), and the 1.3.2 through 1.5.1 range adds CVE-2024-39338 on top.

There is no scenario in 2026 where staying on Axios 1.0 through 1.5 is acceptable from a security standpoint. Every version in this range carries multiple HIGH or MODERATE CVEs that have remained unpatched on those minors.

‍

Axios 0.x History (2014 to Present)

The 0.x branch has a longer history than most JavaScript libraries still in production use:

• 0.18.0 and earlier (2014 through Feb 2018): Exposed to CVE-2019-10742 (Denial of Service via memory exhaustion). HIGH severity. Fixed in 0.18.1.
• 0.20.0 and earlier (through Aug 2020): Exposed to CVE-2020-28168 (SSRF via proxy bypass). MODERATE severity. Fixed in 0.21.1.
• 0.21.1 and earlier (through Dec 2020): Exposed to CVE-2021-3749 (Inefficient Regular Expression Complexity, ReDoS). HIGH severity. Fixed in 0.21.2.
• 0.27.x and earlier (through 2022): Exposed to CVE-2023-45857 (CSRF token leak). The 0.x fix shipped as 0.28.0 in February 2024, more than three months after the 1.x fix.
• 0.29.x and earlier (through Nov 2024): Exposed to CVE-2025-27152 (SSRF and credential leak). Fixed in 0.30.0.
• 0.30.1 and earlier (through Aug 2025): Exposed to CVE-2025-58754 (DoS via no data size check). Fixed in 0.30.2.
• 0.30.2 and earlier (through Sep 2025): Exposed to CVE-2026-25639 (DoS via __proto__ in mergeConfig). Fixed in 0.30.3.
• 0.30.4 and earlier (through Mar 2026): Exposed to CVE-2025-62718 and CVE-2026-40175. Fixed in 0.31.0.

If you are on the 0.x branch, the only current safe version is 0.31.1. Anything older has at least one HIGH or MODERATE CVE with no upstream backport coming.

‍

Known CVEs in Axios

Twelve CVEs and one malicious package incident affect Axios as of April 2026, summarized in the table below.

‍

If you are on Axios 1.15.1 (or 0.31.1 on the legacy branch), you have no known CVE exposure as of this writing. If you are on any other version, count the rows above where your version falls inside the vulnerable range.

‍

Why Upgrading Axios Isn't Always Trivial

In a greenfield Node.js application, bumping Axios to the current version is a one-line change in package.json. In an enterprise application with a long dependency tree, the change is rarely that simple:

• Transitive lock. Axios is a dependency of dozens of popular SDKs and CLIs (cloud provider SDKs, observability agents, internal HTTP clients). If a parent package pins Axios to an old version, your top-level upgrade is overridden unless you use overrides (npm), resolutions (Yarn), or equivalent. Both approaches can break parent packages that rely on removed Axios behavior.
• Behavioral changes between minors. The 1.x line has changed default behavior several times: stricter URL handling in 1.7, response data size limits in 1.12, proxy normalization in 1.15. A version bump can change request behavior in ways your test suite does not catch until production.
• Node.js floor. Recent Axios versions require Node.js 18 or later. If you are running an EOL Node.js version (16.x, 14.x, or earlier), the upgrade is blocked at the runtime level. This is one of the most common reasons we see enterprises stuck on old Axios: the underlying Node.js runtime is unsupported, so the dependency tree is frozen behind it.
• Build pipeline assumptions. Older Axios shipped CommonJS by default with optional ESM. Recent versions reverse that, which can break bundler configurations, monkeypatched test mocks, and any code that imported from internal Axios paths.

‍

Options for Applications Stuck on Old Axios

If you cannot move directly to 1.15.1, three paths exist:

1. Upgrade in stages. Move minor by minor through the 1.x line, running your test suite at each step. This is the highest-confidence upgrade path and is feasible for most applications. Pay particular attention to 1.6.0, 1.7.0, 1.8.0, 1.12.0, and 1.15.0, which each introduced behavioral changes.

2. Switch to the legacy 0.31.1 line. If your codebase uses the older Axios API surface (default exports, looser URL handling), staying on the 0.x branch and upgrading to 0.31.1 will close every currently patched CVE without forcing a 1.x migration. This is a reasonable interim move, but the 0.x branch is not actively developed for new features and the gap will widen over time.

3. Address the upstream constraint that is blocking the upgrade. If the reason you are pinned is that your Node.js runtime is on an end-of-life version (Node.js 16, 14, or 12), the Axios upgrade is downstream of a runtime upgrade. HeroDevs Never-Ending Support (NES) for Node.js provides ongoing security patches for EOL Node.js versions, which keeps the runtime layer compliant while you plan the move to Node.js 20 or 22. With the runtime layer covered, the Axios upgrade becomes a dependency-only change rather than a full-stack migration.

For the broader pattern of dependencies that ship CVEs faster than enterprise change windows can absorb them, see our reference posts on Node.js end-of-life dates and the HeroDevs vulnerability directory for individual CVE coverage details.

‍

Frequently Asked Questions

What is the latest version of Axios?

The latest version of Axios is 1.15.1, released April 19, 2026. The latest legacy 0.x release is 0.31.1, released the same day.

Does Axios have an LTS or end-of-life policy?

No. Axios does not publish LTS or EOL dates. Patches land on the latest minor release, with occasional security backports to the 0.x line. Older minors do not receive fixes after a newer minor ships.

Is the Axios 0.x branch still maintained?

Yes. As of April 2026, the 0.x branch continues to receive security backports under the legacy npm dist-tag. The current legacy version is 0.31.1. This is unusual for a JavaScript library and is sometimes overlooked by teams running 0.27.x or 0.28.x who assume the line is dead.

Which Axios versions have known CVEs in 2026?

Every Axios version below 1.15.0 (or 0.31.0 on the legacy branch) has at least two unpatched CVEs as of April 2026: CVE-2025-62718 (SSRF via NO_PROXY bypass) and CVE-2026-40175 (cloud metadata exfiltration). Older versions stack additional CVEs on top, summarized in the table above.

What is axios 1.7.0 release notes looking for?

1.7.0 was released May 19, 2024. The release introduced internal refactors and the request configuration handling that was later identified as vulnerable in CVE-2024-39338. The minimum safe version within the 1.7 line is 1.7.4.

What changed in axios 1.6.5?

1.6.5 was released January 5, 2024, as a patch release in the 1.6 series. It does not include the fix for CVE-2024-39338 (the SSRF vulnerability introduced in 1.3.2), which did not ship until 1.7.4 in August 2024.

When was Axios 1.15.0 released?

Axios 1.15.0 was published to the npm registry on April 8, 2026. It addressed two MODERATE-severity CVEs: CVE-2025-62718 (NO_PROXY bypass SSRF) and CVE-2026-40175 (cloud metadata exfiltration). The follow-up patch 1.15.1 shipped on April 19, 2026.

Can I keep using Axios 0.x in production?

Only if you are on 0.31.1, the current legacy patch. Any 0.x version older than 0.31.1 has at least one unpatched HIGH or MODERATE CVE. The 0.x branch is a viable interim choice, but it is not actively developed and the feature gap with 1.x continues to widen.

Why am I pinned to an old Axios version?

The most common reasons are: a parent package (cloud SDK, observability agent, internal CLI) pins Axios as a transitive dependency, your Node.js runtime is too old to support a recent Axios version, or your build pipeline depends on the older CommonJS defaults. The runtime constraint is often the root cause and is addressable via HeroDevs Node.js NES.

‍

Taking Action

Axios is one of the most heavily exposed packages in the npm ecosystem because of its install base, the breadth of its feature surface (proxies, redirects, interceptors, HTTP/2), and the lack of a formal LTS. Twelve CVEs have been disclosed across the 0.x and 1.x branches, with three landing in 2026 alone. The current safe versions are 1.15.1 on the current branch and 0.31.1 on the legacy branch. Anything older has known exposure that will not be backported.

If your application is pinned to an old Axios version because the underlying Node.js runtime is end-of-life, contact HeroDevs to discuss Never-Ending Support for Node.js. Securing the runtime layer is what unblocks the dependency upgrade.

This page is maintained by HeroDevs and will be updated as new Axios versions and advisories are published. Last verified against the npm registry and OSV.dev advisory database: April 20, 2026.