CVE-2026-42034

EUVD-2026-25601
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Affected Products (NVD)
VendorProductVersion
axiosaxios
𝑥
< 0.31.1
axiosaxios
1.0.0 ≤
𝑥
< 1.15.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx
https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx