Axios Node.js Data URL Vulnerability (CVE-2025-58754) Exposes Memory Exhaustion Risk

A critical vulnerability in the widely-used Axios HTTP client library for Node.js allows attackers to trigger uncontrolled memory consumption, potentially leading to denial-of-service conditions. The flaw, tracked as CVE-2025-58754, resides in the library's handling of URLs with the `data:` scheme. When Axios on Node.js receives such a URL, its HTTP adapter bypasses normal network requests, instead decoding the entire payload directly into memory as a `Buffer` or `Blob` and returning a synthetic 200 response. This behavior creates a direct vector for resource exhaustion.

The vulnerability specifically affects the Node.js adapter within Axios versions prior to 1.15.0. The issue stems from the library's failure to properly validate or limit the size of data processed from `data:` URLs. An attacker can craft a malicious URL containing a large payload, which Axios will decode in its entirety, consuming system memory without the typical constraints of a network request. This represents a significant deviation from expected HTTP client behavior and introduces a severe availability risk.

The security advisory, GHSA-4hjh-wcwx-xvwj, has prompted an urgent update to Axios v1.15.0. The patch addresses the improper handling mechanism. This vulnerability underscores the hidden risks in foundational dependencies that bridge web protocols and server-side execution. Developers and security teams managing Node.js applications must prioritize this update, as Axios is a ubiquitous component in modern web stacks, and exploitation could destabilize services by exhausting host resources.