Applications built on Node.js that use axios to call external APIs — including payment processors, identity providers, and SaaS integrations — could silently route traffic through an attacker-controlled server, exposing API keys, OAuth tokens, and customer data in transit. If exploitation occurs against a service handling regulated data, the organization faces breach notification obligations and potential fines under GDPR, HIPAA, or PCI-DSS depending on the data processed. Even without active exploitation, the presence of this vulnerability in a production supply chain creates audit findings and may block compliance certifications until remediated.
You Are Affected If
You run Node.js applications that import the axios npm package (directly or as a transitive dependency) in production
Your application processes or transmits sensitive data (authentication tokens, API keys, PII, payment data) via axios HTTP calls
Your runtime environment is susceptible to prototype pollution from another entry point (e.g., unsafe JSON parsing, user-controlled object merges)
You have not confirmed the patched axios version from GHSA-35jp-ww65-95wh is deployed across all services
Your outbound HTTP traffic is not inspected or filtered through an approved forward proxy with anomaly detection
Board Talking Points
A flaw in a widely-used open-source HTTP library (axios) could allow attackers to intercept outbound API calls from our applications, exposing credentials and sensitive data in transit.
Security teams should audit all Node.js services for the affected library and apply the vendor patch within 72 hours of confirmed version guidance from the advisory.
Without remediation, any application using this library to transmit authentication tokens or customer data remains at risk of silent credential theft with no visible sign of compromise.
GDPR — axios is used in Node.js applications that may transmit personal data outbound; successful MITM interception constitutes unauthorized data disclosure requiring breach assessment under Article 33
PCI-DSS — if axios is present in any cardholder data environment service making outbound API calls (e.g., payment gateway integrations), proxy redirection could expose PANs or authentication data in transit, implicating Requirement 4 (encryption in transit)
