Code Injection Vulnerability in Axios HTTP Client
CVE-2026-42037

5.3MEDIUM

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42037?

The Axios HTTP client, versions 1.0.0 through 1.15.0, contains a vulnerability in the FormDataPart constructor found in lib/helpers/formDataToStream.js. This issue arises from the lack of sanitization of CRLF sequences in the Content-Type header, allowing attackers to control the .type property of a Blob/File-like object. By exploiting user-uploaded files in a Node.js proxy service, an attacker could inject arbitrary MIME part headers into the multipart form-data body. This flaw bypasses the built-in header protections in Node.js v18 and later versions since the injection affects the multipart body structure rather than the HTTP request headers. The issue has been resolved in version 1.15.1.

Affected Version(s)

axios >= 1.0.0, < 1.15.1

References

https://github.com/axios/axios/security/advisories/GHSA-4...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42037 Data

JSON

AxiOS

What is CVE-2026-42037?

Affected Version(s)

References

CVSS V3.1

Timeline