CVE-2026-42037 Overview
CVE-2026-42037 is a CRLF injection vulnerability affecting the popular Axios HTTP client library for Node.js and browser environments. The vulnerability exists in the FormDataPart constructor located in lib/helpers/formDataToStream.js, where the value.type property is interpolated directly into the Content-Type header of multipart form-data parts without proper sanitization of CRLF (\r\n) sequences.
An attacker who controls the .type property of a Blob or File-like object—such as through a user-uploaded file in a Node.js proxy service—can inject arbitrary MIME part headers into the multipart form-data body. This attack is particularly concerning because it bypasses the built-in header protections introduced in Node.js v18+, as the injection targets the multipart body structure rather than HTTP request headers.
Critical Impact
Attackers can manipulate multipart form-data requests to inject arbitrary headers, potentially leading to request smuggling, security control bypass, or data manipulation in downstream services.
Affected Products
- Axios versions from 1.0.0 to before 1.15.1
- Node.js applications using Axios for multipart form-data handling
- Proxy services that forward user-controlled file uploads via Axios
Discovery Timeline
- 2026-04-24 - CVE-2026-42037 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42037
Vulnerability Analysis
This vulnerability falls under CWE-93 (Improper Neutralization of CRLF Sequences), also known as HTTP Response Splitting or CRLF Injection. The root issue lies in how Axios handles the Content-Type header generation for multipart form-data parts.
When processing multipart form-data, the FormDataPart constructor builds the Content-Type header for each part by directly interpolating the value.type property. In legitimate use cases, this property contains a MIME type string such as application/json or image/png. However, if an attacker can control this property, they can inject CRLF sequences followed by additional header lines.
The attack surface is network-accessible and requires no authentication or user interaction, making it exploitable in automated attack scenarios. The primary impact is integrity-focused, allowing attackers to modify the structure and content of outbound HTTP requests.
Root Cause
The root cause is missing input sanitization in the FormDataPart constructor within lib/helpers/formDataToStream.js. The code trusts that the value.type property contains only valid MIME type characters without CRLF sequences. When processing Blob or File-like objects, this property is concatenated directly into the multipart body without escaping or validating the input.
This design flaw allows malicious payloads containing \r\n sequences to break out of the Content-Type header context and inject additional MIME part headers.
Attack Vector
The attack requires an attacker to control the .type property of a Blob or File-like object that gets processed by Axios. Common attack scenarios include:
Proxy Services: Node.js applications that accept file uploads and forward them to backend services using Axios. An attacker crafts a malicious file object with a poisoned type property.
User-Generated Content: Applications that process user-provided metadata about files, where the MIME type is derived from untrusted input.
API Integrations: Services that construct form-data from external data sources without proper validation.
The vulnerability bypasses Node.js v18+ built-in header protections because those protections guard against injection in HTTP request headers, not in the multipart body structure itself. The injection occurs within the body content where CRLF sequences are structurally significant for defining MIME part boundaries.
For technical details on the exploitation mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-42037
Indicators of Compromise
- Unusual multipart form-data requests containing unexpected headers or boundary manipulations
- HTTP logs showing malformed Content-Type values with embedded newline characters or additional header fields
- Backend services receiving unexpected headers or modified request structures from proxy applications
Detection Strategies
- Implement input validation checks for MIME type values, flagging any containing CRLF sequences (\r\n or %0D%0A)
- Monitor application logs for form-data processing errors or unexpected multipart parsing failures
- Use software composition analysis (SCA) tools to identify vulnerable Axios versions (1.0.0 to 1.15.0) in your dependency tree
Monitoring Recommendations
- Enable detailed logging for Axios request handling to capture Content-Type header values
- Implement Web Application Firewall (WAF) rules to detect and block CRLF injection patterns in request payloads
- Monitor for anomalous behavior in downstream services that may indicate successful header injection attacks
How to Mitigate CVE-2026-42037
Immediate Actions Required
- Upgrade Axios to version 1.15.1 or later immediately
- Audit code that processes user-controlled file objects with Axios multipart form-data
- Implement server-side validation to sanitize or reject MIME type values containing CRLF sequences
Patch Information
The vulnerability is fixed in Axios version 1.15.1. The patch sanitizes CRLF sequences from the value.type property before interpolation into the Content-Type header, preventing header injection attacks.
For full details on the fix, refer to the GitHub Security Advisory.
Workarounds
- Validate and sanitize all user-controlled MIME type values before passing them to Axios, stripping any CRLF characters
- Implement a whitelist of allowed MIME types and reject any values not matching the expected format
- Consider wrapping file upload handling to enforce strict type validation before Axios processes the data
# Update Axios to the patched version
npm update axios@1.15.1
# Or install the specific fixed version
npm install axios@1.15.1 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
