Description

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

INFO

Published Date :

2026-01-07T22:29:57.393Z

Last Modified :

2026-01-08T20:37:17.978Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21697 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21697.

URL Resource
https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 cve-icon cve-icon
https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 cve-icon cve-icon
https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability