Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44496.json
https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf
https://bugzilla.redhat.com/show_bug.cgi?id=2487943
https://access.redhat.com/security/cve/CVE-2026-44496
https://access.redhat.com/errata/RHSA-2026:36883
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36754
https://access.redhat.com/errata/RHSA-2026:34766
https://access.redhat.com/errata/RHSA-2026:33683
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:33183
https://access.redhat.com/errata/RHSA-2026:33173
https://access.redhat.com/errata/RHSA-2026:33163
https://access.redhat.com/errata/RHSA-2026:33160
https://access.redhat.com/errata/RHSA-2026:33155
https://access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:30650
https://access.redhat.com/errata/RHSA-2026:30076
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:28571
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:27044
https://access.redhat.com/errata/RHSA-2026:26234