CVE-2026-42040 Overview
CVE-2026-42040 is an improper output encoding vulnerability affecting Axios, a widely-used promise-based HTTP client for both browser and Node.js environments. The vulnerability exists in the encode() function within lib/helpers/AxiosURLSearchParams.js, where a character mapping (charMap) inadvertently reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte, potentially allowing attackers to inject null bytes into URL parameters under specific conditions.
Critical Impact
Applications using Axios's AxiosURLSearchParams helper directly may be vulnerable to null byte injection attacks, though the standard axios request flow is not affected.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Axios for Node.js (all platforms)
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-42040 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42040
Vulnerability Analysis
This vulnerability falls under CWE-116: Improper Encoding or Escaping of Output. The core issue lies in the character mapping implementation within the AxiosURLSearchParams helper class. While the vulnerability requires specific conditions to exploit—namely direct usage of the affected encoding helper rather than standard Axios request methods—it represents a design flaw in how URL parameters are processed.
The vulnerability has a network-based attack vector but requires high attack complexity to exploit successfully. Authentication is not required, and no user interaction is needed. The impact is limited to integrity concerns with no confidentiality or availability impact, as the standard axios request flow remains unaffected by this encoding issue.
Root Cause
The root cause is an improper character mapping configuration in the charMap object at line 21 of lib/helpers/AxiosURLSearchParams.js. The mapping contains an entry '%00': '\\x00' that explicitly reverses the percent-encoding of null bytes. When encodeURIComponent() correctly encodes a null byte character (\\x00) to its safe representation (%00), the subsequent character mapping transformation converts it back to the raw null byte character. This defeats the purpose of the initial encoding step and creates an opportunity for null byte injection in specific usage scenarios.
Attack Vector
The attack vector is network-based but limited in scope. An attacker would need to craft malicious input containing null byte characters that gets processed through the AxiosURLSearchParams.encode() function. The exploitation requires:
- The target application must use the AxiosURLSearchParams helper directly rather than standard Axios request methods
- User-controlled input must be passed through the vulnerable encoding function
- The downstream system must be susceptible to null byte injection attacks
The vulnerability mechanism involves the improper character mapping that reverses null byte encoding. When the encode() function processes input containing null bytes, the charMap transformation converts properly encoded %00 sequences back to raw \\x00 characters. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-42040
Indicators of Compromise
- Unusual null byte characters appearing in HTTP request parameters or URLs
- Application logs showing malformed URL encoding sequences
- Backend systems receiving unexpected raw null bytes in query parameters
Detection Strategies
- Perform dependency scanning to identify vulnerable Axios versions prior to 1.15.1 or 0.31.1
- Monitor application code for direct usage of AxiosURLSearchParams helper class
- Implement input validation checks for null byte characters in user-supplied data
Monitoring Recommendations
- Enable verbose logging for URL parameter processing in affected applications
- Set up alerts for package manifest files containing outdated Axios versions
- Monitor software composition analysis (SCA) tools for this vulnerability
How to Mitigate CVE-2026-42040
Immediate Actions Required
- Upgrade Axios to version 1.15.1 or later for the 1.x branch
- Upgrade Axios to version 0.31.1 or later for the 0.x branch
- Audit application code for direct usage of AxiosURLSearchParams encoding functions
- Implement input sanitization to filter null byte characters before URL parameter encoding
Patch Information
The vulnerability has been patched in Axios versions 1.15.1 and 0.31.1. The fix removes the problematic charMap entry that was reversing the null byte encoding. Users should update their Axios dependency to the latest patched version immediately. For complete patch details, see the GitHub Security Advisory.
Workarounds
- Avoid direct usage of the AxiosURLSearchParams helper class until patched
- Implement custom input sanitization to strip null bytes before encoding
- Use standard Axios request methods which are not affected by this vulnerability
# Update Axios to patched version
npm update axios@1.15.1
# Or for yarn users
yarn upgrade axios@1.15.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
