CVE-2026-21697

CVE-2026-21697 is a race condition vulnerability (CWE-362) in the axios4go Go HTTP client library, affecting versions prior to 0.6.4. The issue arises because the global `defaultClient` is mutated during request execution without proper synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. This impacts applications that use axios4go with concurrent requests (such as multiple goroutines, `GetAsync`, or `PostAsync`), those employing different proxy configurations across requests, and any handling sensitive data like authentication credentials, tokens, or API keys. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires concurrent request execution in affected applications, allowing an attacker with network access to trigger a race condition through high-complexity interactions. A remote, unauthenticated attacker can manipulate client properties, potentially leading to high confidentiality impacts such as proxy redirection of sensitive requests to attacker-controlled servers, integrity violations via altered redirects or timeouts, and availability disruptions from misconfigured timeouts. This is particularly severe in multi-goroutine environments processing untrusted inputs or varying configurations.

The GitHub security advisory (GHSA-cmj9-27wj-7x47), release notes for v0.6.4, and fixing commit (b651604c64e66a115ab90cdab358b0181d74a842) confirm that upgrading to version 0.6.4 resolves the issue by addressing the unsynchronized mutations in the shared client configuration. Security practitioners should prioritize updating dependent applications and review usage patterns for concurrency and proxy handling.