CVE-2026-42035 Detected in Axios HTTP Client: High-Severity Flaw Found in Versions 0.25.0 and 0.21.4

A high-severity vulnerability, tracked as CVE-2026-42035, has been identified in two widely deployed versions of the Axios HTTP client library: versions 0.25.0 and 0.21.4. The flaw carries a "High" severity rating and was detected in packages distributed via the official npm registry as axios-0.25.0.tgz and axios-0.21.4.tgz. Organizations relying on these versions face potential exposure through their application dependencies.

The vulnerable packages were located within standard Node.js project structures, specifically referenced in package.json files and nested under node_modules/axios/package.json. Axios serves as a promise-based HTTP client widely adopted for both browser and server-side JavaScript applications, making it a foundational component in a substantial portion of modern web infrastructure. The dependency hierarchy analysis confirms axios-0.25.0.tgz as the direct vulnerable library in at least one detected instance, with axios-0.21.4.tgz appearing in separate dependency paths. This dual-version impact suggests the vulnerability may affect a broader range of projects than a single-version finding would indicate.

The discovery raises immediate security pressure on development teams to assess their dependency trees for these specific Axios versions. Given Axios's pervasive use in web applications, APIs, and microservices, unpatched instances could serve as an attack vector for threat actors targeting the HTTP request handling layer. Security teams should prioritize dependency audits, verify current Axios version usage, and apply patches or upgrades as recommended by official Axios security advisories. Continued monitoring for additional CVE details and remediation guidance remains warranted as the full scope of the vulnerability comes into clearer focus.