Npm · Axios · CVE-2026-42037
**Name of the Vulnerable Software and Affected Versions**
Axios versions 1.0.0 through 1.15.0
**Description**
The `FormDataPart` constructor in `lib/helpers/formDataToStream.js` interpolates the `value.type` property directly into the Content-Type header of each multipart part without sanitizing CRLF (carriage return and line feed) sequences. An attacker controlling the `.type` property of a Blob or File-like object can inject arbitrary MIME part headers into the multipart form-data body. This action bypasses built-in header protections in Node.js v18 and later because the injection occurs within the multipart body structure rather than the HTTP request headers.
**Recommendations**
Update to version 1.15.1.