EUVD-2026-25601

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0...

GHSA-5C9X-8GCM-MPGX Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

Stream Request Bypass

Axios is vulnerable to Stream Request Bypass. The vulnerability is due to the bypassing of maxBodyLength when maxRedirects is set to 0 for stream request bodies, where oversized streamed uploads are sent fully even when the caller sets strict body limits...

Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipereq upload path in the HTTP adapter. An attacker can send a streamed request body larger than the...

DEBIAN-CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

CVE-2026-27633 TinyWeb has Unbounded Content-Length Memory Exhaustion (DoS)

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service DoS vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large Content-Length header e.g.,...

CVE-2026-27633

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service DoS vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large Content-Length header e.g.,...

SUSE CVE-2025-61919

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefo...

PT-2025-41595

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.20 Rack versions prior to 3.1.18 Rack versions prior to 3.2.3 Description Rack is a modular Ruby web server interface. In versions prior to 2.2.20, 3.1.18, and 3.2.3, the Rack::RequestPOST method reads the entire...

PT-2024-30653 · Apollo · Apollo Router

Name of the Vulnerable Software and Affected Versions: Apollo Router versions 1.7.0 through 1.52.0 Apollo Router versions 1.21.0 through 1.52.0 Description: The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo...

V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)

V8 Memory Corruption and Stack Overflow fixed in Node v0.8.28 and v0.10.30 A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may...