What Happened with the axios npm Security Compromise and How to Stay Safe
Problem
When I ran npm audit on my project, I got these security warnings:
$ npm audit# npm audit report
axios *Severity: moderateAxios SSRF and Credential Leakage - https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6Depends on vulnerable versions of form-data
form-data <4.0.0Severity: moderatePredictable Boundary Values - CVE-2025-7783I was using axios 1.7.0 in a production application. This was concerning because axios handles HTTP requests to external APIs, some of which contain sensitive credentials.
Environment
- Node.js 20.x
- npm 10.x
- axios 1.7.0 (vulnerable)
- macOS 14
What happened?
I discovered multiple security vulnerabilities affecting axios in 2025. The timing was interesting - I had just seen a Reddit thread asking “What do people use axios for?” posted hours after an axios supply chain attack was discovered.
Here’s what I found:
CVE-2025-27152 (March 2025) - SSRF and Credential Leakage:
Axios versions 1.0.0 to 1.8.2 were vulnerable to Server-Side Request Forgery (SSRF). When using absolute URLs, attackers could redirect requests to external servers, potentially leaking API keys and credentials.
CVE-2025-58754 (September 2025) - Denial of Service:
Processing malicious data: URLs could crash applications with uncaught exceptions.
CVE-2025-7783 (July 2025) - Transitive Vulnerability:
Axios’s form-data dependency had predictable boundary values, enabling request manipulation.
The broader context is worse. Multiple npm supply chain attacks hit the ecosystem in 2025 - Rspack, Nx, eslint-config-prettier - all following a pattern: compromise a popular package, inject malicious code, steal credentials from thousands of downstream projects.
How to check if you’re affected?
First, I checked my axios version:
npm list axiosOutput:
[email protected] /Users/cowrie/projects/my-projectVersion 1.7.0 is within the vulnerable range for CVE-2025-27152. I then ran a full security audit:
npm auditThe audit confirmed multiple vulnerabilities with axios and its dependency form-data.
How to fix it?
Step 1: Update axios to a patched version
Step 2: Verify the update
npm list axiosOutput:
[email protected] /Users/cowrie/projects/my-projectStep 3: Run audit again
npm auditOutput:
found 0 vulnerabilitiesHow to prevent this in the future?
1. Pin dependency versions
I used to use version ranges like ^1.11.0. That’s risky. Now I pin exact versions:
{ "dependencies": { "axios": "1.11.0" }}Without the ^ prefix, npm cannot automatically update to a potentially compromised version.
2. Commit lockfiles
git add package-lock.jsongit commit -m "chore: commit lockfile for reproducible builds"This ensures all team members and CI systems install the exact same versions.
3. Add security audit to CI
name: Security Audit
on: [push, pull_request]
jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: npm ci - run: npm audit --audit-level=high - run: npm audit signaturesNow every pull request gets checked for vulnerabilities.
4. Consider native fetch for simple cases
Axios adds about 13KB minified to your bundle. For simple HTTP requests, native fetch works fine:
async function httpRequest(url, options = {}) { const response = await fetch(url, { headers: { 'Content-Type': 'application/json', ...options.headers }, ...options })
if (!response.ok) { throw new Error(`HTTP ${response.status}: ${response.statusText}`) }
return response.json()}
// Usageconst data = await httpRequest('/api/users')Native fetch avoids third-party dependency risks entirely. As one Reddit commenter noted, package dependencies introduce security risks that fetch avoids by default.
Why does this keep happening?
The npm ecosystem is a prime target for supply chain attacks:
┌─────────────────┐│ Malicious Actor │└────────┬────────┘ │ (phishing, stolen tokens) ▼┌─────────────────┐ ┌─────────────────┐│ Popular Package │───▶│ 40M+ downloads ││ (e.g., axios) │ │ per week │└────────┬────────┘ └─────────────────┘ │ ▼┌─────────────────┐│ Malicious Code │ (credential theft, RATs, crypto mining)│ Injected │└─────────────────┘ │ ▼┌─────────────────┐│ Thousands of ││ Downstream ││ Projects │└─────────────────┘Key attack vectors:
- High impact, low effort: One compromised package affects thousands of projects
- Trust exploitation: Developers trust popular packages without verification
- Automated propagation: CI/CD systems auto-install latest versions
- Credential theft: npm tokens, GitHub keys, cloud credentials are valuable
Real-world consequences from similar attacks:
- Credential theft: GitHub tokens, npm tokens, SSH keys stolen
- Cryptocurrency mining: Malware installed on developer machines
- Backdoor installation: Persistent access to development environments
- Data exfiltration: IP addresses, system information collected
Common mistakes I’ve made
Looking back, I made several security mistakes:
- Using version ranges -
^1.7.0allowed automatic updates to any 1.x version - Ignoring audit warnings - I saw vulnerabilities but postponed fixing them
- Not committing lockfiles - Different team members had different axios versions
- Running npm install in production - Should use
npm ciwith locked dependencies
Summary
In this post, I showed how I discovered axios vulnerabilities in my project and fixed them by updating to version 1.11.0. The key points are: pin your dependency versions, commit lockfiles, add security audits to CI, and consider native fetch for simple use cases. The npm supply chain attacks in 2025 prove that dependency management is security management.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
- 👨💻 GitHub Security Advisory: GHSA-jr5f-v2jv-69x6
- 👨💻 StepSecurity Analysis: axios npm compromise
- 👨💻 npm Security Best Practices
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
Comments