Axios CVE-2026-42034

| EUVD-2026-25601 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-24 GitHub_M
Denial Of Service Node.js
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Apr 24, 2026 - 20:17 EUVD
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today

DescriptionNVD

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Axios versions prior to 1.15.1 and 0.31.1 allow remote attackers to bypass maxBodyLength restrictions on stream request bodies when maxRedirects is set to 0, enabling denial of service through oversized uploads that consume unbounded server resources. The vulnerability affects the native http/https transport path in Node.js environments and enables attackers to send streamed payloads that exceed configured size limits, potentially exhausting memory or bandwidth on the target application.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42034 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy