CVE-2026-21697 identifies a race condition vulnerability (CWE-362) in the axios4go Go HTTP client library versions before 0.6.4. The vulnerability stems from the global defaultClient object being mutated concurrently without proper synchronization during HTTP request execution. Specifically, the shared http.Client's Transport, Timeout, and CheckRedirect properties are modified during concurrent requests initiated by multiple goroutines (e.g., via GetAsync or PostAsync methods). This unsynchronized mutation can cause data races leading to inconsistent or incorrect HTTP client behavior, such as leaking proxy configurations or authentication credentials between requests. Applications that use axios4go in concurrent environments with different proxy settings or sensitive data are particularly vulnerable. The flaw can compromise confidentiality by exposing tokens, API keys, or credentials across requests. The vulnerability is remotely exploitable without authentication or user interaction, as it occurs during normal concurrent HTTP client usage. The issue was addressed in axios4go version 0.6.4 by introducing proper synchronization mechanisms to protect shared client configuration during concurrent access. No known exploits are currently reported in the wild, but the high CVSS 8.2 score reflects the significant risk posed by this race condition in multi-threaded applications.

For European organizations, the vulnerability poses a significant risk to confidentiality and integrity of sensitive data transmitted via HTTP clients in Go applications. Organizations using axios4go in microservices, APIs, or backend systems that handle authentication tokens, API keys, or proxy configurations concurrently may experience data leakage or request tampering. This can lead to unauthorized access, data breaches, or service disruption. The impact is heightened in sectors like finance, healthcare, and government where sensitive data protection is critical. Additionally, the vulnerability could undermine trust in internal or external APIs and complicate compliance with GDPR and other data protection regulations. Since exploitation requires no authentication or user interaction, attackers could remotely trigger concurrent requests to exploit the race condition. The lack of known exploits currently provides a window for proactive mitigation before active attacks emerge.

1. Upgrade axios4go to version 0.6.4 or later immediately to ensure the race condition is fixed. 2. Audit all Go applications using axios4go to identify concurrent HTTP client usage patterns, especially where different proxy or authentication configurations are applied per request. 3. Refactor code to avoid sharing mutable global HTTP client configurations across goroutines without proper synchronization primitives such as mutexes or by using separate client instances per configuration. 4. Implement rigorous testing for concurrent request handling to detect race conditions using Go's race detector tool. 5. Monitor application logs for anomalies in HTTP client behavior or unexpected credential exposure. 6. Educate development teams on safe concurrent programming practices in Go, emphasizing immutable or properly synchronized shared state. 7. Review and tighten access controls and network segmentation to limit exposure of vulnerable services until patched. 8. Maintain an inventory of all internal and third-party Go libraries to quickly identify and remediate similar concurrency issues.