CVE-2026-21697: Silent Race Condition in axios4go That Can Leak Credentials Across Concurrent Requests

Aegiron 10 mins0

CVE ID: CVE-2026-21697
Affected Component: axios4go (Go HTTP client library)
Vulnerability Class: Race Condition
Impact Type: Cross-request credential leakage
CVSS Score: 8.2 (High)
Severity: High
Attack Vector: Network (indirect, via application behavior)
Privileges Required: None
User Interaction: None
Exploit Maturity: Proof-of-concept possible, no known weaponized exploit
Patch Available: Yes
Status: Fixed in axios4go v0.6.4

Executive Summary

CVE-2026-21697 is a high-severity race condition vulnerability in the axios4go library that can cause credentials, headers, and request configuration from one HTTP request to be unintentionally reused by another concurrent request.

The issue does not allow attackers to execute code or directly compromise the system. However, it breaks request isolation, which is critical in multi-threaded, multi-tenant, or high-concurrency services. Under the right conditions, authentication tokens, cookies, or proxy settings from one user or service can leak into another request, potentially exposing sensitive data to unauthorized destinations.

This vulnerability is especially dangerous in backend services, API gateways, microservices, and SaaS platforms that make outbound HTTP calls on behalf of different users or tenants at the same time.

Root Cause Analysis

The core problem lies in shared mutable state.

axios4go internally uses a global default HTTP client. For convenience, this client is reused across requests. However, axios4go allows per-request configuration, such as:

  • Custom proxy
  • Timeout values
  • Redirect handling
  • Transport configuration

Instead of creating a new HTTP client per request or cloning configuration safely, axios4go modifies the shared client directly at request time.

In a concurrent Go environment:

  • Goroutine A modifies the client (e.g., sets a proxy)
  • Goroutine B executes at the same time and sends a request
  • Goroutine B unknowingly uses Goroutine A’s configuration

Because these mutations are not synchronized, the configuration can “bleed” across requests.

This is a textbook race condition:
multiple goroutines read/write the same object without proper locking or isolation.

Why This Is Dangerous

On the surface, it may look like a harmless bug. In reality, it can lead to serious security failures, including:

  • Authorization headers sent to the wrong host
  • OAuth or API tokens reused across users
  • Cookies leaking between sessions
  • Requests routed through an unintended proxy
  • Internal service credentials exposed to external endpoints

This breaks confidentiality guarantees and tenant isolation, which are core security assumptions in modern backend systems.

Realistic Exploitation Scenarios

Scenario 1: Multi-tenant SaaS backend

A SaaS platform processes requests for thousands of users. Each incoming request triggers outbound API calls using axios4go.

An attacker sends many requests in parallel, forcing concurrency. At the same time, a privileged user request sets special headers or proxy settings.

Due to the race condition:

  • The attacker’s outbound request may inherit the privileged user’s Authorization header
  • Sensitive API tokens are sent to an attacker-controlled endpoint

Scenario 2: Proxy-based data exfiltration

One request configures axios4go to use a debugging or regional proxy.

Another request, running concurrently, sends sensitive data but unintentionally goes through that proxy.

Result:

  • Credentials and payloads are observable outside the intended trust boundary

Scenario 3: Internal service-to-service leakage

In microservice architectures, different internal services often use different credentials.

A race condition can cause:

  • Service A credentials to be used by Service B
  • Unexpected authentication failures
  • Data access violations that are extremely hard to trace

Exploitability Notes

This vulnerability does not have a single “exploit payload” like SQL injection or RCE.

Exploitation depends on:

  • High concurrency
  • Shared axios4go usage
  • Per-request configuration mutation
  • Precise timing

Educational Proof-of-Concept Concept

An educational PoC typically:

  1. Creates multiple goroutines
  2. Each goroutine sends HTTP requests with different headers or proxies
  3. Forces tight execution timing (loops, sleep jitter)
  4. Observes headers or routing inconsistencies in the outbound traffic

Such PoCs demonstrate data crossover, not direct compromise.

Because timing-based exploits are unreliable, this vulnerability is more likely to be abused accidentally or opportunistically than deliberately weaponized.

MITRE ATT&CK & CWE Mapping

  • CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization
  • ATT&CK Technique (Conceptual):
    • Credential Access (via unintended disclosure)
    • Collection (unauthorized data flow)
    • Lateral Movement (credential reuse across services)

Detection Strategy

What Makes This Hard to Detect

  • No crashes
  • No stack traces
  • No obvious errors
  • Looks like “random” behavior

Detection relies on behavioral anomalies, not signatures.

Key Indicators of Compromise or Misuse

  • Same Authorization token appearing in requests to different domains
  • Requests sent through unexpected proxies
  • Mismatched user IDs vs outbound credentials
  • Sudden authentication errors across unrelated services
  • Tokens being rejected by downstream APIs due to incorrect audience or scope

Recommended Log Sources

You should collect and correlate logs from:

  1. Application logs
    • Outbound request destination
    • Request ID / trace ID
    • User or tenant context (non-sensitive)
  2. Egress proxy logs
    • Destination host
    • Headers presence (not full values)
    • Proxy routing decisions
  3. Authentication provider logs
    • Token usage patterns
    • Token reuse across services
  4. Distributed tracing systems
    • Trace ID mismatches
    • Shared spans using different security contexts
  5. Network flow logs
    • Unexpected outbound connections
    • New or rare destinations

Detection Logic

  • Alert when the same token fingerprint is used across multiple destination hosts within a short time window
  • Flag outbound requests where:
    • User context ≠ credential owner
  • Detect proxy usage inconsistent with service policy

How to Validate If You Are Affected

  • Check if your project depends on axios4go below v0.6.4
  • Review code for:
    • Shared HTTP client usage
    • Per-request mutation of client config
  • Run tests with: go test -race Race detector warnings around HTTP client usage are a strong indicator of exposure.

Remediation and Hardening Guidance

Immediate Action

  • Upgrade axios4go to v0.6.4 or later

Official patch / upgrade link:
https://github.com/rezmoss/axios4go/releases/tag/v0.6.4

Additional Defensive Measures

  • Never mutate shared HTTP clients at runtime
  • Use one client per configuration
  • Treat HTTP clients as immutable
  • Avoid global singletons for outbound communication
  • Add concurrency stress tests
  • Log outbound request metadata consistently

Why This Vulnerability Is Often Missed

  • It doesn’t look like a “security bug”
  • Developers assume HTTP clients are safe to reuse
  • Race conditions are non-deterministic
  • Issues appear only under load
  • Symptoms resemble infrastructure problems

Yet, when exploited or triggered, the impact is real and severe.

Final Takeaway

CVE-2026-21697 undermines a foundational security assumption:
one request = one security context.

In modern concurrent systems, breaking this assumption can quietly expose credentials, violate tenant boundaries, and leak sensitive data without leaving obvious traces.

Upgrading is straightforward. Ignoring it is risky.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.