GHSA-5c9x-8gcm-mpgx

Suggest an improvement
Source
https://github.com/advisories/GHSA-5c9x-8gcm-mpgx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5c9x-8gcm-mpgx/GHSA-5c9x-8gcm-mpgx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5c9x-8gcm-mpgx
Aliases
  • CVE-2026-42034
Downstream
Related
Published
2026-05-05T00:33:25Z
Modified
2026-05-06T15:29:22.484110786Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
Details

Summary

For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits.

Details

Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applies only to buffered/non-stream data. - 681-682: maxRedirects === 0 selects native http/https transport. - 694-699: options.maxBodyLength is set, but native transport does not enforce it. - 925-945: stream is piped directly to socket (data.pipe(req)) with no Axios byte counting.

This creates a path-specific bypass for streamed uploads.

### PoC

Environment:

  • Axios main at commit f7a4ee2

  • Node v24.2.0

    Steps:

  1. Start an HTTP server that counts uploaded bytes and returns {received}.

  2. Send a 2 MiB Readable stream with: - adapter: 'http' - maxBodyLength: 1024 - maxRedirects: 0

    Observed:

  • Request succeeds; server reports received: 2097152.

    Control checks:

  • Same stream with default/nonzero redirects: rejected with ERRFRMAXBODYLENGTH_EXCEEDED.

  • Buffered body with maxRedirects: 0: rejected with ERRBADREQUEST.

    Impact

    Type: DoS / uncontrolled upstream upload / resource exhaustion. Impacted: Node.js services using streamed request bodies with maxBodyLength expecting hard enforcement, especially when following Axios guidance to use maxRedirects: 0 for streams.

Database specific 
{
    "github_reviewed_at": "2026-05-05T00:33:25Z",
    "nvd_published_at": "2026-04-24T18:16:30Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / axios

Package

Name
axios
View open source insights on deps.dev
Purl
pkg:npm/axios

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0
Fixed
1.15.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5c9x-8gcm-mpgx/GHSA-5c9x-8gcm-mpgx.json"

npm / axios

Package

Name
axios
View open source insights on deps.dev
Purl
pkg:npm/axios

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.31.1

Database specific

last_known_affected_version_range 
"<= 0.31.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5c9x-8gcm-mpgx/GHSA-5c9x-8gcm-mpgx.json"