Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

RedhatCVE
RedhatCVEadded 2026/05/05 10:57 a.m.0 views

CVE-2026-42036

A flaw was found in Axios. When 'responseType: 'stream'' is used, Axios returns the response stream without enforcing the 'maxContentLength' limit. This allows a remote attacker to bypass configured response-size limits, leading to unbounded downstream consumption of resources. This vulnerability...

5.3CVSS5.8AI score0.00023EPSS
Exploits1References4
Github Security Blog
Github Security Blogadded 2026/05/05 12:26 a.m.8 views

Axios: HTTP adapter streamed responses bypass maxContentLength

Summary When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. Details In lib/adapters/http.js: - 786-789: for responseType === 'stream', Axios immediatel...

5.3CVSS5.8AI score0.00023EPSS
Exploits1References3Affected Software1
OSV
OSVadded 2026/05/05 12:26 a.m.1 views

GHSA-VF2M-468P-8V99 Axios: HTTP adapter streamed responses bypass maxContentLength

Summary When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. Details In lib/adapters/http.js: - 786-789: for responseType === 'stream', Axios immediatel...

5.3CVSS5.8AI score0.00023EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/04/24 6:0 p.m.5 views

CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.3AI score0.00023EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2025/09/11 9:7 p.m.0 views

GHSA-4HJH-WCWX-XVWJ Axios is vulnerable to DoS attack through lack of data size check

Summary When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory Buffer/Blob and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength which only protect HTTP...

7.5CVSS7.1AI score0.00257EPSS
Exploits1References10
OSV
OSVadded 2019/05/29 6:4 p.m.1 views

GHSA-42XW-2XVC-QX8M Denial of Service in axios

Versions of axios prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the maxContentLength property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service. Recommendation Upgrade to 0.18.1 or later...

7.5CVSS7.1AI score0.1309EPSS
Exploits1References7
OSV
OSVadded 2019/05/07 7:29 p.m.2 views

DEBIAN-CVE-2019-10742

Axios up to and including 0.18.0 allows attackers to cause a denial of service application crash by continuing to accepting content after maxContentLength is exceeded...

7.5CVSS6.7AI score0.1309EPSS
Exploits1References1
Rows per page
Query Builder