axios Allocation of Resources Without Limits or Throttling Vulnerability - CVE-2025-58754

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the data: scheme it does not perform HTTP. Instead its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses) so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS) even if the caller requested responseType: 39stream39. Version 1.11.0 contains a patch for the issue.