CVE-2026-21697
📋 TL;DR
A race condition vulnerability in axios4go Go HTTP client library allows concurrent requests to mutate shared HTTP client configuration without synchronization. This affects applications using axios4go with concurrent requests, different proxy configurations, or handling sensitive data. The vulnerability can lead to data leakage, request misrouting, or authentication failures.
💻 Affected Systems
- axios4go
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive authentication credentials, API keys, or tokens could be leaked to unintended destinations via misconfigured proxies or transports, leading to complete account compromise and data breaches.
Likely Case
Concurrent requests interfere with each other's configuration, causing requests to fail, timeout unexpectedly, or be routed to incorrect endpoints, disrupting application functionality.
If Mitigated
With proper isolation of HTTP client instances and no concurrent usage, the vulnerability has minimal impact, though the risk remains if configuration patterns change.
🎯 Exploit Status
Exploitation requires triggering race conditions through concurrent requests, which is feasible but timing-dependent. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.4
Vendor Advisory: https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47
Restart Required: No
Instructions:
1. Update axios4go dependency to version 0.6.4 or later. 2. For Go modules: run 'go get github.com/rezmoss/axios4go@v0.6.4'. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Use isolated HTTP client instances
allCreate separate http.Client instances for each goroutine or request instead of using the shared defaultClient.
client := &http.Client{Transport: customTransport, Timeout: customTimeout}
🧯 If You Can't Patch
- Disable concurrent request usage in the application to avoid race conditions.
- Implement application-level synchronization to control access to the shared HTTP client configuration.
🔍 How to Verify
Check if Vulnerable:
Check your go.mod or go.sum file for axios4go version. If version is below 0.6.4 and your application uses concurrent requests, you are vulnerable.Check Version:
grep axios4go go.modVerify Fix Applied:
After updating, verify the version in go.mod is 0.6.4 or higher and test concurrent requests to ensure they execute without configuration interference.📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP request failures or timeouts in concurrent operations
- Logs showing requests being routed to unexpected endpoints or proxies
Network Indicators:
- HTTP traffic to unexpected destinations when multiple requests are made simultaneously
- Unusual proxy usage patterns in concurrent scenarios
SIEM Query:
source="application_logs" AND ("request timeout" OR "proxy error") AND "concurrent"