GHSA-58q2-9x27-h2jm

Suggest an improvement
Source
https://github.com/advisories/GHSA-58q2-9x27-h2jm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-58q2-9x27-h2jm/GHSA-58q2-9x27-h2jm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-58q2-9x27-h2jm
Published
2026-01-15T20:12:25Z
Modified
2026-01-15T20:20:03.606750Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
solspace/craft-freeform Has a DoS Vulnerability
Details

Summary

Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion (CVE-2025-58754).

Freeform version: 4.1.29 Craft CMS version: 4.16.8

Impact

When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'.

Database specific 
{
    "github_reviewed_at": "2026-01-15T20:12:25Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "LOW"
}
References

Affected packages

Packagist / solspace/craft-freeform

Package

Name
solspace/craft-freeform
Purl
pkg:composer/solspace/craft-freeform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.29
Fixed
4.1.30

Affected versions

4.*

4.1.29

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-58q2-9x27-h2jm/GHSA-58q2-9x27-h2jm.json"