Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the fetch adapter when finite size limits are configured but not enforced. An attacker can exhaust server resource...

GHSA-777C-7FJR-54VF Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the fetch adapter when finite size limits are configured but not enforced. An attacker can exhaust...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: drm/dpmst: Fixed the check on the length of the MST sideband message body. The issue involved checking the length of the MST sideband message body, which must be at least 1 byte, taking into account the message body CRC also...

MGASA-2026-0146 Updated haproxy packages fix security vulnerability

The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. CVE-2026-33555...

Node.js Module axios < 1.15.1 Multiple Vulnerabilities

The version of the axios Node.js module installed on the remote host is prior to 1.15.1. It is, therefore, affected by multiple vulnerabilities: - Prototype pollution gadgets in axios allow response tampering, data exfiltration, and request hijacking. CVE-2026-42033 - Axios' HTTP adapter-streamed...

CVE-2026-42034

A flaw was found in Axios. A remote attacker can exploit this vulnerability by sending oversized streamed uploads. This occurs when the maxRedirects setting is configured to 0, which bypasses the maxBodyLength limit for stream request bodies. Consequently, the system will process the full oversiz...

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

GHSA-5C9X-8GCM-MPGX Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

EUVD-2026-25601

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0...

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

Stream Request Bypass

Axios is vulnerable to Stream Request Bypass. The vulnerability is due to the bypassing of maxBodyLength when maxRedirects is set to 0 for stream request bodies, where oversized streamed uploads are sent fully even when the caller sets strict body limits...

OESA-2026-2086 haproxy security update

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Security Fixes: An issue was...

OESA-2026-2085 haproxy security update

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Security Fixes: An issue was...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipereq upload path in the HTTP adapter. An attacker can send a streamed request body...

Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipereq upload path in the HTTP adapter. An attacker can send a streamed request body larger than the...

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

CVE-2026-42034 Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

PT-2026-35045

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 Description For stream request bodies, the maxBodyLength limit is bypassed when maxRedirects is set to 0 using the native http/https transport path. This allows oversized streamed...