CVE-2026-21697

HIGH

axios4go <0.6.4 - RCE

Title source: llm

Description

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

References (3)

Scores

CVSS v3 8.1
EPSS 0.0015
EPSS Percentile 35.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-362
Status published

Affected Products (1)

rezmoss/axios4go < 0.6.4

Timeline

Published Jan 07, 2026
Tracked Since Feb 18, 2026