CVE-2026-42034: CVE-2026-42034: maxBodyLength Bypass in Axios Node.js Stream Transport

#security #cve #cybersecurity

CVE-2026-42034: maxBodyLength Bypass in Axios Node.js Stream Transport

Vulnerability ID: CVE-2026-42034
CVSS Score: 5.3
Published: 2026-05-05

Axios versions prior to 1.15.1 and 0.31.1 contain a flaw in the Node.js HTTP adapter where the maxBodyLength configuration is bypassed. This occurs exclusively when using a stream for the request body and explicitly setting maxRedirects to 0. The bypass leads to the uninhibited transmission of oversized streams, causing potential endpoint denial-of-service via resource exhaustion.

TL;DR

A flaw in the Axios Node.js adapter bypasses the maxBodyLength limit when streaming uploads with maxRedirects set to 0, allowing unbounded data transmission.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-770
Attack Vector: Network
CVSS v3.1: 5.3 (Medium)
EPSS Score: 0.00051 (15.64%)
Impact: Denial of Service / Resource Exhaustion
Exploit Status: PoC Available
CISA KEV: Not Listed

Affected Systems

Node.js environments utilizing Axios
Server-side applications parsing and forwarding user-supplied streams
Axios: < 0.31.1 (Fixed in: 0.31.1)
Axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Exploit Details

Vulnerability Context: Proof of concept demonstrating the stream bypass with maxRedirects set to 0

Mitigation Strategies

Upgrade Axios to patched version 1.15.1 or 0.31.1
Implement manual stream byte monitoring and destruction logic
Audit application configurations to identify usage of maxRedirects: 0

Remediation Steps:

Identify all Node.js projects utilizing the Axios HTTP client.
Update package.json to specify axios >= 1.15.1 or >= 0.31.1.
Execute npm install or yarn install to fetch the updated packages.
Verify that the follow-redirects transitive dependency is resolved to version 1.16.0 or higher.

References

Read the full report for CVE-2026-42034 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community