Null Byte Encoding Issue in Axios HTTP Client
CVE-2026-42040

3.7LOW

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42040?

A vulnerability exists in the Axios HTTP client that allows the encode() function to improperly handle null byte encoding. Specifically, the function's character mapping (charMap) inadvertently reverses the safe percent-encoding of null bytes. When correctly encoded, a null byte produces the safe sequence %00. However, the existing charMap entry converts it back to a raw null byte, potentially leading to unexpected behavior. Although the standard request flow of Axios remains largely unaffected, it is crucial for users to update to versions 1.15.1 or 0.31.1 to mitigate any risks associated with this vulnerability.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-x...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42040 Data

JSON

AxiOS

What is CVE-2026-42040?

Affected Version(s)

References

CVSS V3.1

Timeline