CVE-2026-42037

Name of the Vulnerable Software and Affected Versions Axios versions 1.0.0 through 1.15.0

Description The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates the value.type property directly into the Content-Type header of each multipart part without sanitizing CRLF (carriage return and line feed) sequences. An attacker controlling the .type property of a Blob or File-like object can inject arbitrary MIME part headers into the multipart form-data body. This action bypasses built-in header protections in Node.js v18 and later because the injection occurs within the multipart body structure rather than the HTTP request headers.

Recommendations Update to version 1.15.1.