CVE-2026-42034 Overview
Axios, the widely-used promise-based HTTP client for browser and Node.js environments, contains a vulnerability where the maxBodyLength configuration option is bypassed when streaming request bodies with maxRedirects set to 0 (using the native http/https transport path). This allows oversized streamed uploads to be sent fully even when the caller has explicitly set strict body limits, potentially leading to resource exhaustion conditions.
Critical Impact
Applications relying on maxBodyLength to enforce upload size limits can be bypassed, allowing attackers to send oversized payloads through streamed uploads, potentially causing denial of service through resource exhaustion.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Node.js applications using affected Axios versions with stream request bodies
Discovery Timeline
- 2026-04-24 - CVE-2026-42034 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42034
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in how Axios handles body size validation for stream-based request bodies when the maxRedirects option is set to 0, which forces Axios to use the native Node.js http or https transport path rather than its custom request handling.
Under normal circumstances, when a developer configures maxBodyLength to limit the size of outgoing request bodies, Axios should enforce this limit and reject requests that exceed it. However, when streaming data (such as from a file stream or readable stream) and maxRedirects is set to 0, this validation check is bypassed entirely.
The practical impact is that an application configured to only allow uploads of a certain size could inadvertently transmit much larger payloads. This could lead to bandwidth exhaustion, memory pressure on servers processing oversized uploads, or circumvention of application-level security controls designed to limit data transfer sizes.
Root Cause
The root cause stems from a logic gap in the request body size enforcement mechanism when using the native http/https transport path. The maxBodyLength check is not properly applied to stream-based request bodies when redirect handling is disabled via maxRedirects: 0. This creates a code path where the size validation logic is skipped, allowing unlimited data transmission regardless of the configured limits.
Attack Vector
An attacker or malicious code could exploit this vulnerability by crafting requests that use streamed bodies while setting maxRedirects to 0. This bypasses any size restrictions the application developer intended to enforce through maxBodyLength. The attack is network-based and requires no authentication or user interaction.
The exploitation scenario involves:
- An application using Axios with maxBodyLength configured to limit upload sizes
- The application allows or requires stream-based uploads
- An attacker supplies a request configuration with maxRedirects: 0
- The oversized stream payload is transmitted in full, bypassing the body length limit
For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-42034
Indicators of Compromise
- Unusually large outbound HTTP/HTTPS requests from Node.js applications
- Network bandwidth spikes associated with Axios-based applications
- Memory consumption anomalies in services handling streamed uploads
- Log entries showing requests exceeding expected payload sizes
Detection Strategies
- Audit package dependencies to identify Axios versions prior to 1.15.1 (for 1.x branch) or 0.31.1 (for 0.x branch)
- Monitor for code patterns combining stream request bodies with maxRedirects: 0 configuration
- Implement network monitoring to detect oversized HTTP request bodies
- Use software composition analysis (SCA) tools to flag vulnerable Axios versions
Monitoring Recommendations
- Enable detailed logging for outbound HTTP requests in Node.js applications
- Set up alerts for network traffic anomalies indicating oversized uploads
- Monitor application memory and CPU usage for signs of resource exhaustion
- Implement request body size monitoring at the network or proxy layer as a defense-in-depth measure
How to Mitigate CVE-2026-42034
Immediate Actions Required
- Update Axios to version 1.15.1 or later for the 1.x branch
- Update Axios to version 0.31.1 or later for the 0.x branch
- Audit applications for code paths using stream bodies with maxRedirects: 0
- Implement network-level size limits as an additional layer of protection
Patch Information
The vulnerability has been fixed in Axios versions 1.15.1 and 0.31.1. Users should update their dependencies immediately to receive the security fix. The patch ensures that maxBodyLength is properly enforced for all request body types, including streams, regardless of the maxRedirects configuration.
For complete details, see the GitHub Security Advisory.
Workarounds
- Implement server-side request body size limits as a fallback protection mechanism
- Use reverse proxy or API gateway limits to enforce maximum request body sizes
- Avoid setting maxRedirects: 0 when using stream-based request bodies if size limits are critical
- Add application-level validation to pre-calculate stream sizes before transmission where possible
# Update Axios to patched version
npm update axios@1.15.1
# Or for 0.x branch
npm update axios@0.31.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
