Axios Node.js Data URL Memory Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Axios versions prior to 1.11.0 when used in Node.js. The issue arises when Axios is given a data URL, which is not handled as a standard HTTP request. Instead, the Node.js HTTP adapter decodes the entire payload into memory, creating a synthetic 200 response. This process ignores any specified maximum content or body length limits, allowing an attacker to send a large data URI that can exhaust memory resources and crash the application. This vulnerability is particularly problematic because it can occur even when the response type is set to 'stream', which is typically used to handle large data transfers without overloading memory.

Impact

Exploitation of this vulnerability can lead to out-of-memory errors, causing the Node.js process to crash. This behavior disrupts service availability, as the application cannot handle requests while the process is terminated.

Reproduction

To reproduce this vulnerability, send a POST request to an endpoint that uses Axios to handle data URLs. The request should include a data URL payload that is large enough to cause memory exhaustion, such as one that decodes to approximately 120 MB. Axios will fully decode the payload into memory, bypassing any configured size limits, and can be observed to cause the Node.js process to run out of memory and crash.

Remediation

Users can upgrade to Axios version 1.12.0 or later, where this vulnerability has been patched. The updated version enforces maximum content length limits on data URLs, preventing the decoding of excessively large payloads that could lead to memory exhaustion.