Axios Node.js Data URL Vulnerability (CVE-2025-58754) Exposes Memory Exhaustion Risk

A critical security flaw in the widely-used Axios HTTP client library for Node.js allows attackers to trigger uncontrolled memory consumption and potential denial-of-service attacks. The vulnerability, tracked as CVE-2025-58754, stems from how Axios handles URLs with the `data:` scheme. When processing such a URL, the Node.js HTTP adapter bypasses normal network requests and instead decodes the entire payload directly into memory as a `Buffer` or `Blob`, returning a synthetic 200 response. This behavior can be exploited by feeding Axios a maliciously crafted `data:` URL containing a massive payload.

The core of the issue lies in the library's failure to implement proper size or resource limits for these local data URLs. An attacker can construct a `data:` URL with an extremely large base64-encoded payload. When Axios attempts to decode this, it allocates the entire content into the Node.js process's memory in one operation. This can rapidly exhaust available memory, causing the application to crash or become unresponsive, effectively creating a denial-of-service condition. The vulnerability is specific to Axios running in Node.js environments; browser-based usage is not affected.

The security advisory from the Axios maintainers confirms the risk and has prompted automated dependency management tools like Renovate to issue update pull requests, urging projects to upgrade from vulnerable versions (like 0.28.x) to the patched version 1.15.0 or later. This highlights a persistent supply-chain security challenge: a fundamental library used by millions of projects can become a single point of failure. Developers must prioritize applying this update, as the exploit is straightforward and could be used to destabilize any Node.js service relying on an outdated Axios version for external HTTP communication.