CVE-2026-42040: CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios

#security #cve #cybersecurity

CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios

Vulnerability ID: CVE-2026-42040
CVSS Score: 3.7
Published: 2026-05-05

Axios versions prior to 0.31.1 and 1.x versions prior to 1.15.1 contain a Null Byte Injection vulnerability (CWE-626) in the AxiosURLSearchParams module. A logic defect in the internal parameter encoder incorrectly reverts safely encoded null bytes (%00) back into raw null byte characters. This flaw can facilitate path truncation attacks or security filter bypasses when interacting with vulnerable downstream systems.

TL;DR

A logic flaw in Axios's URL parameter serializer reverts safely encoded null bytes (%00) back to raw null characters. This requires a specific non-default configuration to trigger but can lead to downstream parsing errors or WAF bypasses.

Technical Details

CWE ID: CWE-626
Attack Vector: Network
CVSS v3.1 Score: 3.7 (Low)
EPSS Score: 0.00044
Exploit Status: None
CISA KEV: False

Affected Systems

Axios HTTP Client (Node.js environments)
Axios HTTP Client (Browser environments)
Axios: < 0.31.1 (Fixed in: 0.31.1)
Axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Mitigation Strategies

Upgrade Axios dependency to versions 1.15.1 or 0.31.1
Audit custom paramsSerializer configurations to remove dependencies on AxiosURLSearchParams
Implement strong input validation to reject unprintable control characters like null bytes before serialization

Remediation Steps:

Verify the current Axios version in package.json and lockfiles
Execute package manager update commands to pull the latest patched minor/patch versions
Search the application codebase for references to AxiosURLSearchParams or custom paramsSerializer functions
Execute integration tests to ensure parameter serialization continues to function correctly with native JavaScript alternatives