PT-2026-35045 · Npm · Axios
Asadeddin
·
Published
2026-04-24
·
Updated
2026-05-18
·
CVE-2026-42034
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Axios versions prior to 0.31.1
Axios versions prior to 1.15.1
Description
For stream request bodies, the
maxBodyLength limit is bypassed when maxRedirects is set to 0 using the native http/https transport path. This allows oversized streamed uploads to be sent in full, even when strict body limits are configured by the caller.Recommendations
Update to version 0.31.1.
Update to version 1.15.1.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Axios