CVE-2026-42037: CRLF Injection in Axios Multipart Form Data Generation
Vulnerability ID: CVE-2026-42037
CVSS Score: 5.3
Published: 2026-05-05
A CRLF injection vulnerability exists in Axios versions 1.0.0 through 1.15.0 when operating in a Node.js environment. The flaw allows attackers to inject arbitrary headers into multipart/form-data payloads due to improper sanitization of the file type property, bypassing native Node.js HTTP header protections.
TL;DR
Axios < 1.15.1 is vulnerable to CRLF injection within multipart/form-data bodies. Attackers controlling the MIME type of uploaded files can inject malicious headers or manipulate the body payload. Upgrading to 1.15.1 resolves the issue.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-93
- CVSS v3.1 Score: 5.3 (Medium)
- Attack Vector: Network
- Exploit Status: Proof of Concept
- EPSS Score: 0.00061 (18.76%)
- CISA KEV: Not Listed
Affected Systems
- Node.js environments utilizing Axios for HTTP requests
- Server-side applications proxying file uploads via Axios
-
axios: >= 1.0.0, < 1.15.1 (Fixed in:
1.15.1)
Mitigation Strategies
- Upgrade to Axios version 1.15.1 or newer.
- Implement server-side allowlisting for user-supplied MIME types.
- Avoid trusting client-provided file metadata; use magic byte analysis for file type detection.
Remediation Steps:
- Audit project dependencies using
npm auditoryarn auditto identify vulnerable versions ofaxios. - Update the
package.jsonfile to requireaxios@^1.15.1. - Run dependency installation (
npm installoryarn install) to fetch the patched version. - Review codebases for instances where user-supplied file objects are passed directly into
FormDatapayloads.
References
Read the full report for CVE-2026-42037 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)