CVE-2026-42036 Overview
CVE-2026-42036 is a resource exhaustion vulnerability in Axios, a widely-used promise-based HTTP client for browser and Node.js environments. When using responseType: 'stream', Axios fails to enforce the configured maxContentLength limit, allowing unbounded downstream consumption of response data. This bypasses intended response-size restrictions and can lead to denial of service conditions through memory exhaustion.
Critical Impact
Applications using Axios streaming responses may be vulnerable to resource exhaustion attacks, potentially causing service unavailability when attackers send oversized responses that bypass configured limits.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Node.js applications using Axios with responseType: 'stream'
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-42036 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42036
Vulnerability Analysis
This vulnerability (classified as CWE-770: Allocation of Resources Without Limits or Throttling) exists in how Axios handles streaming responses. Under normal operation, Axios provides the maxContentLength configuration option to limit the size of response bodies, protecting applications from processing unexpectedly large payloads. However, when a developer configures responseType: 'stream', this safety mechanism is bypassed entirely.
The vulnerability allows an attacker controlling or manipulating the response from a remote server to send arbitrarily large data streams. Since the maxContentLength check is not enforced for streaming responses, the application will continue consuming data without bounds, potentially exhausting available memory or other system resources.
Root Cause
The root cause lies in the Axios response handling logic that processes streaming responses differently from buffered responses. When responseType: 'stream' is specified, the response stream is returned directly to the caller without first checking the content length against the configured maxContentLength value. This architectural decision creates an inconsistency in how response size limits are enforced across different response types.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability in scenarios where:
- The application makes HTTP requests to attacker-controlled or compromised endpoints
- Server-Side Request Forgery (SSRF) vulnerabilities exist that allow attackers to redirect Axios requests
- Man-in-the-middle positions allow response manipulation
The exploitation involves returning an extremely large or infinite response stream to an Axios client configured with responseType: 'stream'. Since the maxContentLength limit is ignored, the application will attempt to process all incoming data, leading to resource exhaustion.
For detailed technical information about the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-42036
Indicators of Compromise
- Unusual memory consumption spikes in Node.js applications using Axios
- Application crashes due to out-of-memory errors during HTTP streaming operations
- Network connections remaining open for extended periods during large data transfers
- Elevated garbage collection activity in Node.js processes
Detection Strategies
- Audit application code for usage of responseType: 'stream' in Axios configurations
- Monitor memory utilization patterns for Node.js applications making external HTTP requests
- Implement logging around Axios request/response cycles to identify abnormal data transfer sizes
- Use software composition analysis (SCA) tools to identify vulnerable Axios versions in your dependency tree
Monitoring Recommendations
- Set up memory threshold alerts for applications using Axios streaming functionality
- Monitor network traffic for unusually large response payloads to internal services
- Track Axios request durations and flag requests exceeding expected transfer times
- Implement application performance monitoring (APM) to detect resource exhaustion patterns
How to Mitigate CVE-2026-42036
Immediate Actions Required
- Update Axios to version 1.15.1 or later for the 1.x branch
- Update Axios to version 0.31.1 or later for the 0.x branch
- Audit all application code using Axios with responseType: 'stream' configurations
- Implement additional application-level size checks for streaming responses as defense-in-depth
Patch Information
The vulnerability has been addressed in Axios versions 1.15.1 and 0.31.1. The fix ensures that maxContentLength limits are properly enforced even when using streaming response types. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Implement manual size tracking and stream termination for streaming responses before upgrading
- Use Node.js native http/https modules with explicit size limits for critical streaming operations
- Add middleware or wrapper functions that enforce content length checks on incoming streams
- Configure network-level protections to limit maximum response sizes from external endpoints
# Update Axios to patched version
npm update axios@1.15.1
# Or for 0.x branch
npm update axios@0.31.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
