CVE-2026-21697

216.73.217.22

· Published 07/01/2026 23:15 · Modified 08/01/2026 18:08

Labels: CVE-2026-21697 2026-01-07 CVE-2026-21697 CWE-362 [email protected]

Essential information

Published: 07/01/2026 23:15
Modified: 08/01/2026 18:08
Author: —
Creator: —
CVSS: 8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
axios4go / axios4go	`cpe:2.3:a:axios4go:axios4go::::::::`