Unbounded Response Stream in Axios HTTP Client
CVE-2026-42036

5.3MEDIUM

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42036?

Axios, a popular HTTP client used for both browsers and Node.js, has a vulnerability where the responseType: 'stream' option can allow responses to bypass configured maximum content length settings. This can lead to unbounded downstream consumption, putting the application at risk of resource exhaustion. The issue exists in versions prior to 1.15.1 and 0.31.1, where no limit is enforced on the size of the response stream, thereby exposing applications to potential Denial of Service attacks. Users are encouraged to upgrade to the patched versions to mitigate this vulnerability.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-v...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42036 Data

JSON

AxiOS

What is CVE-2026-42036?

Affected Version(s)

References

CVSS V3.1

Timeline