Listen to this Post
The vulnerability exists in the `encode()` function inside `lib/helpers/AxiosURLSearchParams.js` at line 21. A `charMap` object maps special characters to their percent‑encoded forms. For every mapping, the direction is literal → encoded (safe). However, the entry `’%00′: ‘\x00’` reverses this: it takes the already safe percent‑encoded null byte `%00` (produced by encodeURIComponent('\x00')) and converts it back into a raw null byte. This is a reverse‑encoding defect. The function then applies `encodeURIComponent(str)` and uses `.replace()` with a regex that matches [!'()~]|%20|%00. When `%00` is matched, `charMap[‘%00’]` returns the raw null byte instead of keeping it encoded. As a result, any input containing a null byte (\x00) becomes a raw null byte in the output string. The standard axios request flow (via buildURL) is not vulnerable because `buildURL` uses its own safe `encode` function and passes an external encoder to AxiosURLSearchParams.toString(), which bypasses the defective internal encode. Only direct calls to `AxiosURLSearchParams.toString()` without an encoder, or custom `paramsSerializer` that delegates to the internal encoder, trigger the bug. The defect is a clear coding error with no legitimate use case.
Platform: Node.js / browser
Version: all affected versions
Vulnerability : null byte injection
Severity: low (CVSS 3.7)
date: 2026-04-16
Prediction: 2026-05-15 (30 days)
What Undercode Say:
Discover vulnerable code location
grep -n "%00" lib/helpers/AxiosURLSearchParams.js
Test direct instantiation (vulnerable)
node -e "import('axios').then(({default:axios})=>{const p=new axios.AxiosURLSearchParams({f:'\x00'});console.log(JSON.stringify(p.toString()));})"
Hex dump to confirm null byte (00)
node -e "import('axios').then(({default:axios})=>{const p=new axios.AxiosURLSearchParams({f:'\x00'});console.log(Buffer.from(p.toString()).toString('hex'));})"
Safe path via buildURL (not vulnerable)
node -e "import('axios/lib/helpers/buildURL.js').then(m=>console.log(m.default('http://a',{f:'\x00'})))"
Exploit:
// Direct usage of AxiosURLSearchParams
const { AxiosURLSearchParams } = require('axios/lib/helpers/AxiosURLSearchParams');
const params = new AxiosURLSearchParams({ file: 'secret\x00.jpg' });
const url = 'https://example.com/api?' + params.toString();
// Resulting URL contains raw null byte, truncating at \x00 in C-based backends
// curl -v "https://example.com/api?file=secret" (the .jpg and following chars lost)
Protection from this CVE:
- Never instantiate `AxiosURLSearchParams` directly without an encoder. Use `buildURL` or axios’s standard request methods (e.g.,
axios.get(),axios.post()) which automatically trigger the safe code path. - If custom serialization is required, provide an external `encode` function that does not delegate to the internal `encode` of
AxiosURLSearchParams. - Apply the vendor fix: remove the line `’%00′: ‘\x00’` from `charMap` and delete `|%00` from the regex inside
lib/helpers/AxiosURLSearchParams.js. - Use a WAF rule to block raw null bytes (
\x00) in query parameters.
Impact:
- Primary impact is low because the standard axios flow is unaffected.
- Direct API users of `AxiosURLSearchParams` can inject null bytes into URLs.
- Downstream C‑based parsers (e.g., old HTTP servers, file system calls) may truncate the URL at the null byte, leading to:
- Access control bypass (e.g., `admin\x00.txt` →
admin). - Log injection / obfuscation (null byte hides trailing characters in logs).
- WAF bypass (null byte may not be inspected after truncation).
- No confidentiality loss, no availability impact, integrity low.
- The defect indicates poor encoding hygiene and could signal other similar issues.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
