CVE-2026-21697
Published: 07 January 2026
Summary
CVE-2026-21697 is a high-severity Race Condition (CWE-362) vulnerability in Rezmoss Axios4Go. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21697 is a race condition vulnerability (CWE-362) in the axios4go Go HTTP client library, affecting versions prior to 0.6.4. The issue arises because the global `defaultClient` is mutated during request execution without proper synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. This impacts applications that use axios4go with concurrent requests (such as multiple goroutines, `GetAsync`, or `PostAsync`), those employing different proxy configurations across requests, and any handling sensitive data like authentication credentials, tokens, or API keys. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires concurrent request execution in affected applications, allowing an attacker with network access to trigger a race condition through high-complexity interactions. A remote, unauthenticated attacker can manipulate client properties, potentially leading to high confidentiality impacts such as proxy redirection of sensitive requests to attacker-controlled servers, integrity violations via altered redirects or timeouts, and availability disruptions from misconfigured timeouts. This is particularly severe in multi-goroutine environments processing untrusted inputs or varying configurations.
The GitHub security advisory (GHSA-cmj9-27wj-7x47), release notes for v0.6.4, and fixing commit (b651604c64e66a115ab90cdab358b0181d74a842) confirm that upgrading to version 0.6.4 resolves the issue by addressing the unsynchronized mutations in the shared client configuration. Security practitioners should prioritize updating dependent applications and review usage patterns for concurrency and proxy handling.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1381
Vulnerability details
axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and…
more
`CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition enables remote attacker to mutate shared HTTP client Transport (proxy redirection to attacker-controlled servers for MITM, T1557), Timeout (availability disruptions, T1499.004), and CheckRedirect properties.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the race condition flaw in axios4go by installing the fix in version 0.6.4.
Vulnerability scanning identifies systems using vulnerable pre-0.6.4 versions of the axios4go library.
Ensures receipt and dissemination of security advisories like GHSA-cmj9-27wj-7x47 for the axios4go race condition vulnerability.