CVE-2026-44496 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44496	HIGH	axios	1.15.2	1.16.0, 0.32.0	2026-06-11T17:16:33.59Z	2026-06-12T10:18:16.790052646Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20e
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63

---

Description

Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.

---

Remediation Steps

• Update the affected package axios from version 1.15.2 to 1.16.0, 0.32.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.