CVE-2026-42034— Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

CVSS 5.3 · Medium EPSS 0.05% · P16 Updated Apr 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42034

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Source: NVD (National Vulnerability Database)

Vulnerability Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

不加限制或调节的资源分配

Source: NVD (National Vulnerability Database)

Vulnerability Title

Axios 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Axios是Axios开源的一款基于Promise（异步编程的一种解决方案）的HTTP客户端。 Axios 1.15.1之前版本和0.31.1之前版本存在安全漏洞，该漏洞源于当maxRedirects设置为0时，流请求正文的maxBodyLength被绕过，导致超大数据流上传完全发送。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
axios	axios	>= 1.0.0, < 1.15.1	-

II. Public POCs for CVE-2026-42034

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-42034

请登录查看更多情报信息。

Same Patch Batch · axios · 2026-04-24 · 12 CVEs total

CVE-2026-42033	7.4 HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hi
CVE-2026-42035	7.4 HIGH	Axios: Header Injection via Prototype Pollution
CVE-2026-42043	7.2 HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loop
CVE-2026-42038	6.8 MEDIUM	Axios: no_proxy bypass via IP alias allows SSRF
CVE-2026-42044	6.5 MEDIUM	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
CVE-2026-42042	5.4 MEDIUM	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` B
CVE-2026-42037	5.3 MEDIUM	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToS
CVE-2026-42036	5.3 MEDIUM	Axios: HTTP adapter streamed responses bypass maxContentLength
CVE-2026-42041	4.8 MEDIUM	Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Stra
CVE-2026-42040	3.7 LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
CVE-2026-42039		Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

IV. Related Vulnerabilities

Same product: axios

Same vendor: axios

Same weakness: CWE-770

V. Comments for CVE-2026-42034

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42034— Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

I. Basic Information for CVE-2026-42034

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42034

III. Intelligence Information for CVE-2026-42034

Same Patch Batch · axios · 2026-04-24 · 12 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-42034

Leave a comment