Listen to this Post
The vulnerability exists in `lib/helpers/formDataToStream.js` at line 27. When processing a Blob/File-like object, the code directly interpolates `value.type` into the `Content-Type` header of a multipart part without sanitizing CRLF (\r\n) sequences: headers += \Content-Type: ${value.type || ‘application/octet-stream’}${CRLF}`. In contrast, the string path explicitly sanitizes CRLF using.replace(/\r?\n|\r\n?/g, CRLF), confirming that sanitization was intended but missed forvalue.type. An attacker who controls the `.type` property of a user-uploaded file (e.g., in a Node.js proxy service) can inject arbitrary MIME part headers by embedding `\r\n` followed by malicious headers. The attack chain: attacker uploads a crafted file with a MIME type likeimage/jpeg\r\nX-Injected-Header: PWNED; the proxy appends it to a FormData object and posts viaaxios.post(url, formData); axios calls `formDataToStream()` which unsanitized `value.type` writes into the multipart body; the downstream server receives injected headers and parses them as legitimate. This bypasses Node.js v18+ HTTP header protections because the injection targets the multipart body structure, not HTTP request headers. The `value.name` used in `Content-Disposition` nearby likely has the same issue. The vulnerability is reachable via public axios API with no special configuration. PoC: create a FormData-like object, set `type` with CRLF payload, useaxios.post(), observe injected headers in received body. Fixed in axios 1.6.0 by sanitizing `value.type` with.replace(/[\r\n]/g, ”)`.
dailycve form:
Platform: Node.js axios
Version: <=1.5.1
Vulnerability: CRLF header injection
Severity: Critical
date: 2023-10-20
Prediction: 2023-11-15
Analytics under heading What Undercode Say:
Check axios version
npm list axios
Test vulnerable endpoint
node poc_axios_crlf.js
Extract injected headers from multipart
grep -i "X-Injected-Header" multipart.log
Diff between vulnerable and fixed code
diff lib/helpers/formDataToStream.js{,.fixed}
// Vulnerable line (27)
headers += <code>Content-Type: ${value.type || 'application/octet-stream'}${CRLF}</code>;
// Fixed version
const safeType = (value.type || 'application/octet-stream').replace(/[\r\n]/g, '');
headers += <code>Content-Type: ${safeType}${CRLF}</code>;
Exploit:
const fd = new FormData();
fd.append('file', Buffer.from('x'), {
type: 'image/jpeg\r\nX-Injected-Header: PWNED\r\nContent-Disposition: form-data; name="evil"',
filename: 'poc.jpg'
});
await axios.post('http://victim/upload', fd);
Protection from this CVE
Upgrade axios to >=1.6.0 (npm install axios@latest). If unable, manually sanitize all `type` properties of Blob/File objects before appending to FormData: type.replace(/[\r\n]/g, ''). Implement a wrapper that validates MIME types against an allowlist and rejects any containing CRLF, newlines, or control characters. Use a reverse proxy or WAF to strip `\r` and `\n` from multipart part headers before forwarding. Audit `value.name` similarly.
Impact
Any Node.js proxy, file upload relay, or API gateway that accepts user-controlled file MIME types and reposts via axios FormData is vulnerable. Attackers can bypass server-side Content-Type filters (e.g., upload a `.exe` with `image/jpeg` plus injected Content-Type: application/x-msdownload), confuse multipart parsers to misroute data, inject phantom form fields if the boundary is known, and exploit downstream vulnerabilities (e.g., SSRF, deserialization) that trust per-part headers. With over 40 million weekly downloads, axios’s blast radius amplifies this flaw considerably.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
