GHSA-58Q2-9X27-H2JM
7.50.06%
The Infinite Buffer: Crashing Craft CMS via Axios Data URIs
Alon Barad
Software EngineerJan 16, 2026·7 min read·7 visits
PoC Available
Executive Summary (TL;DR)
Solspace Freeform uses a version of Axios vulnerable to DoS via `data:` URIs. Axios's Node.js adapter synchronously decodes these URIs into memory without checking size limits. Sending a massive Base64 string forces the server to allocate gigabytes of RAM instantly, killing the process.
A deep dive into CVE-2025-58754, where the popular Axios library's mishandling of `data:` URIs allows unauthenticated attackers to trigger Out-of-Memory (OOM) crashes in Solspace Freeform for Craft CMS.
Fix Analysis (2)
Technical Appendix
CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HEPSS Probability
0.06%
Top 81% most exploited
Affected Systems
Craft CMS utilizing solspace/craft-freeform <= 4.1.29Node.js applications using axios < 1.12.0Server-side rendering or build tools dependent on vulnerable axios
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
solspace/craft-freeform Solspace | <= 4.1.29 | 4.1.30 |
axios Axios | < 1.12.0 | 1.12.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-770 |
| Attack Vector | Network |
| CVSS | 7.5 (High) |
| Impact | Denial of Service (OOM) |
| Vulnerable Component | Axios http adapter |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-770
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling
Known Exploits & Detection
Vulnerability Timeline
Axios Fix Committed (945435f)
2025-09-10
CVE-2025-58754 Published
2025-09-12
Solspace Freeform 4.1.30 Released
2026-01-15
GHSA-58Q2-9X27-H2JM Published
2026-01-15
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.