Listen to this Post
When `maxRedirects` is set to 0, Axios switches to the native http/https transport path instead of using the `follow-redirects` module. In the normal flow (with `maxRedirects` set to a non-zero value), the `maxBodyLength` restriction is enforced by the `follow-redirects` module. However, when `maxRedirects` is explicitly set to 0, the request bypasses this module and uses the native Node.js transport. In the native transport path, the `maxBodyLength` option is set but never actually validated. Specifically, in lib/adapters/http.js, lines 556-564 show that the `maxBodyLength` check only applies to buffered (non-stream) data. For streamed request bodies, the `pipe` method is used, and no byte counting or size enforcement occurs. Between lines 925-945, the stream is piped directly to the socket via data.pipe(req), completely bypassing Axios’s size-limiting logic. As a result, any oversized streamed upload is transmitted in full, regardless of the `maxBodyLength` setting. This allows an attacker to send arbitrarily large payloads, leading to resource exhaustion and denial of service.
dailycve form: Platform: Node.js Axios Version: ≤1.15.0,≤0.31.0 Vulnerability: maxBodyLength bypass Severity: Moderate (5.3) date: 2026-04-24 Prediction: Patch 2026-04-24
What Undercode Say:
Check your Axios version
npm list axios
Reproduction proof-of-concept (requires a test server)
node -e "
const axios = require('axios');
const { Readable } = require('stream');
const hugeStream = new Readable({
read(size) {
this.push(Buffer.alloc(1024 1024, 'A')); // 1 MiB chunk
this.push(null);
}
});
axios({
method: 'post',
url: 'http://localhost:8080/upload',
data: hugeStream,
maxBodyLength: 1024,
maxRedirects: 0,
adapter: 'http'
}).then(console.log).catch(console.error);
"
Exploit:
An attacker crafts an HTTP request with a streamed body while setting `maxRedirects: 0` and maxBodyLength: 1024. Despite the limit, a 2 MiB payload is fully transmitted. The server confirms receipt of all bytes, proving the bypass.
Protection from this CVE
- Upgrade Axios to version 1.15.1 or 0.31.1 or later.
- Avoid setting `maxRedirects: 0` when using streamed request bodies.
- Implement additional size checks at the server level.
Impact
Uncontrolled upstream upload leading to resource exhaustion (Denial of Service) in Node.js services that rely on `maxBodyLength` for streamed requests, particularly when following Axios’s own guidance to use `maxRedirects: 0` for streams.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
