CVE-2026-42036: CVE-2026-42036: maxContentLength Bypass and Resource Exhaustion in Axios

CVE-2026-42036: maxContentLength Bypass and Resource Exhaustion in Axios

Vulnerability ID: CVE-2026-42036
CVSS Score: 5.3
Published: 2026-05-05

A resource exhaustion vulnerability exists in the Axios Node.js HTTP client where the maxContentLength configuration is not enforced for stream responses, potentially causing Denial of Service.

TL;DR

Axios fails to enforce response size limits on streams, allowing an attacker to supply infinite data streams that bypass configured boundaries and cause local resource exhaustion.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-770
• Attack Vector: Network
• CVSS Score: 5.3
• EPSS Score: 0.00051
• Impact: Denial of Service
• Exploit Status: PoC
• CISA KEV: False

Affected Systems

• Node.js Applications using Axios
• Services utilizing Axios for streaming external resources
• axios: < 0.31.1 (Fixed in: 0.31.1)
• axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Code Analysis

Commit: 770f5ef

Bump follow-redirects to enforce maxBodyLength on streams

Exploit Details

• Research Report: Conceptual PoC relying on a basic HTTP server returning an unbounded stream

Mitigation Strategies

• Upgrade Axios library to version 1.15.1 or 0.31.1
• Implement a custom Transform stream to manually count bytes and destroy the stream if a threshold is exceeded
• Ensure downstream processing logic enforces its own size limits

Remediation Steps:

1. Identify all usage of axios where responseType: 'stream' is configured.
2. Update the axios dependency in package.json to >= 1.15.1 or 0.31.1.
3. Run npm install or yarn install to update the lockfile.
4. Verify the update pulled in follow-redirects >= 1.16.0 using npm ls follow-redirects.

References

• GHSA-vf2m-468p-8v99
• NVD Record
• CVE.org Record
• Fix Commit

---

Read the full report for CVE-2026-42036 on our website for more details including interactive diagrams and full exploit analysis.