CVE-2026-42036— Axios: HTTP adapter streamed responses bypass maxContentLength

CVSS 5.3 · Medium EPSS 0.05% · P16 Updated Apr 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42036

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Axios: HTTP adapter streamed responses bypass maxContentLength

Source: NVD (National Vulnerability Database)

Vulnerability Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This vulnerability is fixed in 1.15.1 and 0.31.1.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

不加限制或调节的资源分配

Source: NVD (National Vulnerability Database)

Vulnerability Title

Axios 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Axios是Axios开源的一款基于Promise（异步编程的一种解决方案）的HTTP客户端。 Axios 1.15.1之前版本和0.31.1之前版本存在安全漏洞，该漏洞源于使用responseType为stream时，Axios返回响应流而不强制执行maxContentLength，绕过配置的响应大小限制。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
axios	axios	>= 1.0.0, < 1.15.1	-

II. Public POCs for CVE-2026-42036

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-42036

请登录查看更多情报信息。

Same Patch Batch · axios · 2026-04-24 · 12 CVEs total

CVE-2026-42033	7.4 HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hi
CVE-2026-42035	7.4 HIGH	Axios: Header Injection via Prototype Pollution
CVE-2026-42043	7.2 HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loop
CVE-2026-42038	6.8 MEDIUM	Axios: no_proxy bypass via IP alias allows SSRF
CVE-2026-42044	6.5 MEDIUM	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
CVE-2026-42042	5.4 MEDIUM	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` B
CVE-2026-42037	5.3 MEDIUM	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToS
CVE-2026-42034	5.3 MEDIUM	Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0
CVE-2026-42041	4.8 MEDIUM	Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Stra
CVE-2026-42040	3.7 LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
CVE-2026-42039		Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

IV. Related Vulnerabilities

Same product: axios

Same vendor: axios

Same weakness: CWE-770

V. Comments for CVE-2026-42036

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42036— Axios: HTTP adapter streamed responses bypass maxContentLength

I. Basic Information for CVE-2026-42036

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42036

III. Intelligence Information for CVE-2026-42036

Same Patch Batch · axios · 2026-04-24 · 12 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-42036

Leave a comment