CVE-2026-39865

Summary

Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.

Details

The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array.

Vulnerable Code:

while (i--) {
  if (entries[i][0] === session) {
    entries.splice(i, 1);
    if (len === 1) {
      delete this.sessions[authority];
      return;
    }
  }
}

Root Cause: After calling entries.splice(i, 1) to remove a session, the original code only returned early if len === 1. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.

Fixed Code:

while (i--) {
  if (entries[i][0] === session) {
    if (len === 1) {
      delete this.sessions[authority];
    } else {
      entries.splice(i, 1);
    }
    return;
  }
}

The fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.

Affected Component:

• lib/adapters/http.js - Http2Sessions class, session cleanup in connection close handler

PoC

1. Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client
2. Establish multiple concurrent HTTP/2 sessions with the axios client
3. Close all sessions simultaneously with precise timing
4. The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently
5. This causes the client to access invalid memory locations, resulting in a process crash