Lucene search
K

4641 matches found

Vulnrichment
Vulnrichment
added 2026/04/24 5:59 p.m.7 views

CVE-2026-42034 Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.2AI score0.00327EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:59 p.m.27 views

CVE-2026-42034 Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS0.00327EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:59 p.m.6 views

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.3AI score0.00327EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2026/04/24 5:59 p.m.4 views

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.3AI score0.00327EPSS
Exploits1
CVE
CVE
added 2026/04/24 5:59 p.m.21 views

CVE-2026-42034

CVE-2026-42034 affects Axios, a promise-based HTTP client for browser and Node.js. The vulnerability occurs in the HTTP adapter for stream request bodies: for versions prior to 1.15.1 and 0.31.1, maxBodyLength is bypassed when maxRedirects is set to 0 on the native http/https transport path, caus...

5.3CVSS5.3AI score0.00327EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/04/24 5:58 p.m.36 views

CVE-2026-42037

Axios 1.0.0–1.15.0/1.15.0x suffer a CRLF injection in the FormDataPart constructor (lib/helpers/formDataToStream.js) where value.type is interpolated into multipart part Content-Type headers without CRLF sanitization. An attacker controlling the .type of a Blob/File-like object can inject arbitra...

5.3CVSS5.6AI score0.0024EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:58 p.m.5 views

CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...

5.3CVSS5.5AI score0.0024EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:58 p.m.4 views

CVE-2026-42037

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...

5.3CVSS5.6AI score0.0024EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2026/04/24 5:58 p.m.6 views

CVE-2026-42037

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...

5.3CVSS5.7AI score0.0024EPSS
Exploits1
CVE
CVE
added 2026/04/24 5:57 p.m.64 views

CVE-2026-42038

Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...

7.5CVSS5.3AI score0.00301EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:57 p.m.7 views

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

6.8CVSS5.3AI score0.00301EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:57 p.m.33 views

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

6.8CVSS0.00301EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 5:57 p.m.4 views

CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

7.5CVSS5.3AI score0.00301EPSS
Exploits1
CVE
CVE
added 2026/04/24 5:55 p.m.33 views

CVE-2026-42041

CVE-2026-42041 affects Axios, a promise-based HTTP client for browser and Node.js. The issue is a prototype pollution gadget in the validateStatus merge strategy (uses the in operator), allowing pollution of Object.prototype to cause HTTP error responses (401/403/500, etc.) to be treated as succe...

8.2CVSS5.3AI score0.00611EPSS
Exploits1References39Affected Software1
Cvelist
Cvelist
added 2026/04/24 5:55 p.m.27 views

CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

4.8CVSS0.00611EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:55 p.m.6 views

CVE-2026-42041

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

4.8CVSS5.3AI score0.00611EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:55 p.m.3 views

CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

4.8CVSS5.3AI score0.00611EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 5:55 p.m.4 views

CVE-2026-42041

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

8.2CVSS5.3AI score0.00611EPSS
Exploits1
Vulnrichment
Vulnrichment
added 2026/04/24 5:54 p.m.4 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS5.3AI score0.00661EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:54 p.m.36 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS0.00661EPSS
Exploits1References1
Rows per page
Query Builder