CVE-2021-3749

HIGH

axios <0.21.2 - Denial of Service via Inefficient Regular Expression

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3749. PoCs published by T-Guerrero.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2021-3749, demonstrating a ReDoS (Regular Expression Denial of Service) vulnerability in the axios package. The exploit targets the trim function, which can be forced into excessive CPU consumption when processing crafted input strings.

Description

axios is vulnerable to Inefficient Regular Expression Complexity

Exploits (1)

nomisec WORKING POC

by T-Guerrero · poc

https://github.com/T-Guerrero/axios-redos

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2021-3749, demonstrating a ReDoS (Regular Expression Denial of Service) vulnerability in the axios package. The exploit targets the trim function, which can be forced into excessive CPU consumption when processing crafted input strings.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: axios (versions prior to the fix commit 5b457116e31db0e88fede6c428e969e87f290929)

No auth needed

Prerequisites: Ability to provide crafted input to the trim function in the axios package

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (14)

Core 14

Core References

Exploit, Patch, Third Party Advisory x_refsource_confirm

https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31

Patch, Third Party Advisory x_refsource_misc

https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929

View Patch ZIP pw:eip

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%40%3Cdev.druid.apache.org%3E

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory x_refsource_confirm

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

Scores

CVSS v3 7.5

EPSS 0.0889

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-400 CWE-1333

Status published

Products (5)

axios/axios < 0.21.1

npm/axios 0 - 0.21.2npm

oracle/goldengate 21.1 - 21.7.0.0.0

siemens/sinec_ins 1.0 (2 CPE variants)

siemens/sinec_ins < 1.0

Published Aug 31, 2021

Tracked Since Feb 18, 2026