Cyber Resilience

CVE-2026-21697

High

Published: 07 January 2026

Published
07 January 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21697 is a high-severity Race Condition (CWE-362) vulnerability in Rezmoss Axios4Go. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21697 is a race condition vulnerability (CWE-362) in the axios4go Go HTTP client library, affecting versions prior to 0.6.4. The issue arises because the global `defaultClient` is mutated during request execution without proper synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. This impacts applications that use axios4go with concurrent requests (such as multiple goroutines, `GetAsync`, or `PostAsync`), those employing different proxy configurations across requests, and any handling sensitive data like authentication credentials, tokens, or API keys. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires concurrent request execution in affected applications, allowing an attacker with network access to trigger a race condition through high-complexity interactions. A remote, unauthenticated attacker can manipulate client properties, potentially leading to high confidentiality impacts such as proxy redirection of sensitive requests to attacker-controlled servers, integrity violations via altered redirects or timeouts, and availability disruptions from misconfigured timeouts. This is particularly severe in multi-goroutine environments processing untrusted inputs or varying configurations.

The GitHub security advisory (GHSA-cmj9-27wj-7x47), release notes for v0.6.4, and fixing commit (b651604c64e66a115ab90cdab358b0181d74a842) confirm that upgrading to version 0.6.4 resolves the issue by addressing the unsynchronized mutations in the shared client configuration. Security practitioners should prioritize updating dependent applications and review usage patterns for concurrency and proxy handling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and…

more

`CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Race condition enables remote attacker to mutate shared HTTP client Transport (proxy redirection to attacker-controlled servers for MITM, T1557), Timeout (availability disruptions, T1499.004), and CheckRedirect properties.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28986Shared CWE-362
CVE-2026-34856Shared CWE-362
CVE-2026-42594Shared CWE-362
CVE-2025-21701Shared CWE-362
CVE-2026-34851Shared CWE-362
CVE-2025-30444Shared CWE-362
CVE-2026-23440Shared CWE-362
CVE-2026-41458Shared CWE-362
CVE-2025-43244Shared CWE-362
CVE-2026-46727Shared CWE-362

Affected Assets

rezmoss
axios4go
≤ 0.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the race condition flaw in axios4go by installing the fix in version 0.6.4.

detect

Vulnerability scanning identifies systems using vulnerable pre-0.6.4 versions of the axios4go library.

detect

Ensures receipt and dissemination of security advisories like GHSA-cmj9-27wj-7x47 for the axios4go race condition vulnerability.

References