ByteOS Network

NVD Vulnerability Details :

CVE-2026-21697

Awaiting Analysis

Source-security-advisories@github.com

Published At-07 Jan, 2026 | 23:15

Updated At-08 Jan, 2026 | 18:08

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.2	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 8.2

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-362	Primary	security-advisories@github.com

CWE ID: CWE-362

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842	security-advisories@github.com	N/A
https://github.com/rezmoss/axios4go/releases/tag/v0.6.4	security-advisories@github.com	N/A
https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47	security-advisories@github.com	N/A