PatchSiren cyber security CVE debrief
CVE-2025-58754 Siemens CVE debrief
CVE-2025-58754 is a denial-of-service issue tied in the advisory corpus to Siemens SIDIS Prime, but the vulnerability text itself describes Axios running on Node.js. When an affected Axios version handles a `data:` URL, it can decode the full payload into memory, ignore the usual size guards, and return a synthetic response. A sufficiently large `data:` URI can therefore trigger unbounded memory growth and crash the process, including cases where the caller requested streaming behavior.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-12
Who should care
Teams responsible for Siemens SIDIS Prime deployments and any Node.js services that use affected Axios releases should care, especially where untrusted or attacker-controlled URLs can reach request-handling code.
Technical summary
According to the source description, Axios versions starting in 0.28.0 and before the patched releases 0.30.2 and 1.12.0 do not perform HTTP when given a `data:` scheme URL on Node.js. Instead, the http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. That path does not enforce `maxContentLength` or `maxBodyLength`, which only protect HTTP responses, so a large `data:` URI can force excessive allocation and denial of service. The advisory corpus maps remediation for Siemens SIDIS Prime to version 4.0.800 or later.
Defensive priority
High. The impact is availability loss with no privileges or user interaction required in the CVSS vector, and the failure mode is process memory exhaustion followed by a crash.
Recommended defensive actions
- Update Siemens SIDIS Prime to V4.0.800 or later, per the advisory remediation.
- If your environment uses Axios directly on Node.js, upgrade to a patched release line that includes the fix (0.30.2 or 1.12.0, depending on the branch in use).
- Audit application paths that accept URLs from users or external systems and reject or tightly control `data:` scheme inputs where they are not explicitly needed.
- Do not rely on `responseType: 'stream'`, `maxContentLength`, or `maxBodyLength` as protection for this `data:` URI path; verify behavior in code review and testing.
- Add process-level monitoring and recovery controls for Node.js services so an unexpected memory spike is detected and contained quickly.
Evidence notes
The supplied CISA CSAF source item `ICSA-26-071-03` was published on 2026-03-10 and republished on 2026-03-12. The corpus records CVSS 7.5/HIGH with vector `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`. The advisory title and product mapping point to Siemens SIDIS Prime, while the vulnerability description itself is about Axios on Node.js handling of `data:` URLs. That mismatch is reflected in the source corpus and should be kept in mind when applying remediation guidance.
Official resources
-
CVE-2025-58754 CVE record
CVE.org
-
CVE-2025-58754 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public disclosure in the corpus is dated 2026-03-10, with a CISA republication/update on 2026-03-12.