{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21697", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.397Z", "datePublished": "2026-01-07T22:29:57.393Z", "dateUpdated": "2026-01-08T20:37:17.978Z"}, "containers": {"cna": {"title": "axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47"}, {"name": "https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842", "tags": ["x_refsource_MISC"], "url": "https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842"}, {"name": "https://github.com/rezmoss/axios4go/releases/tag/v0.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/rezmoss/axios4go/releases/tag/v0.6.4"}], "affected": [{"vendor": "rezmoss", "product": "axios4go", "versions": [{"version": "< 0.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T22:29:57.393Z"}, "descriptions": [{"lang": "en", "value": "axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue."}], "source": {"advisory": "GHSA-cmj9-27wj-7x47", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T20:37:08.423675Z", "id": "CVE-2026-21697", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:37:17.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21697", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T20:37:08.423675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:37:12.742Z"}}], "cna": {"title": "axios4go's Race Condition in Shared HTTP Client Allows Proxy Configuration Leak", "source": {"advisory": "GHSA-cmj9-27wj-7x47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rezmoss", "product": "axios4go", "versions": [{"status": "affected", "version": "< 0.6.4"}]}], "references": [{"url": "https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47", "name": "https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842", "name": "https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rezmoss/axios4go/releases/tag/v0.6.4", "name": "https://github.com/rezmoss/axios4go/releases/tag/v0.6.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T22:29:57.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21697", "state": "PUBLISHED", "dateUpdated": "2026-01-08T20:37:17.978Z", "dateReserved": "2026-01-02T18:45:27.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T22:29:57.393Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rezmoss:axios4go:*:*:*:*:*:go:*:*", "matchCriteriaId": "53BFBFF7-32A9-4C6A-B563-6CABA5301DE5", "versionEndExcluding": "0.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue."}], "id": "CVE-2026-21697", "lastModified": "2026-03-09T13:57:52.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-07T23:15:50.533", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/rezmoss/axios4go/releases/tag/v0.6.4"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:47:26.985887+00:00", "value": {"mitigation_remediation": ["Upgrade axios4go to v0.6.4 or later, which removes the race condition.", "If upgrading is not possible, avoid using the shared defaultClient for concurrent requests; instead instantiate a separate http.Client for each goroutine or each distinct proxy configuration.", "Modify any code that modifies request proxy settings concurrently to use proper synchronization (e.g., mutexes) or to avoid shared mutable state."], "summary": {"action": "Patch immediately", "impact": "Sensitive data leakage due to proxy configuration exposure"}, "threat_synthesis": {"affected_systems": "All Go applications that import rezmoss/axios4go and use a version earlier than 0.6.4 are impacted. The issue specifically affects code paths that perform concurrent GetAsync, PostAsync or other async calls and provide distinct proxy settings for each request, as the shared client is mutated globally.", "description_and_impact": "The race condition in axios4go's shared HTTP client causes the global defaultClient to be mutated without synchronization during request execution, altering the Transport, Timeout and CheckRedirect fields. In concurrent goroutine requests that supply different proxy configurations, this can cause one request to observe another request\u2019s proxy settings, which may include authentication credentials or tokens, leading to accidental leakage of sensitive information. The flaw is a classic race condition, classified as CWE-362.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is high severity, but the EPSS calculation of <1% indicates a low likelihood of current exploitation. It is not listed in the CISA KEV catalog, meaning no widespread attacks have been observed. Exploitation requires an attacker who can influence concurrent goroutine requests and supply varied proxy configurations; therefore the attack vector is inferred from the concurrency behavior described in the vulnerability."}}}}, "created": "2026-04-18T17:00:05.562817+00:00", "updated": "2026-04-18T17:00:05.562834+00:00", "vendors": []}