EUVD-2026-25603
GHSA-445q-vr5w-6q77
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 273 npm packages depend on axios (189 direct, 84 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionGitHub Advisory
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.
AnalysisAI
Axios HTTP client versions 1.0.0 through 1.15.0 allow header injection in multipart form-data bodies through unsanitized CRLF sequences in the Content-Type header of individual parts. An attacker controlling a Blob/File object's .type property (such as via user-uploaded files in a Node.js proxy service) can inject arbitrary MIME headers into the multipart body, bypassing Node.js v18+ built-in header protections. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must control the .type property of a Blob or File-like object passed to Axios FormData constructors in a Node.js environment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 score (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network-accessible, unauthenticated exploitation with low complexity and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a malicious file to a Node.js proxy service that uses Axios to forward the file to a backend API. The attacker crafts a File object with .type set to 'application/json\r\nContent-Disposition: form-data; name="admin"; filename="admin.txt"' and injects a crafted header that causes the receiving server to misinterpret the request structure or bypass header-based access controls. … |
| Remediation | Upgrade Axios to version 1.15.1 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today