Sign In

CVE-2026-42036

ADVISORY - github

Summary

Summary

When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.

Details

In lib/adapters/http.js:

  • 786-789: for responseType === 'stream', Axios immediately settles with the stream.
  • 797-810: maxContentLength enforcement exists only in the non-stream buffering branch.

So callers may set maxContentLength and still receive/read arbitrarily large streamed responses.

PoC

Environment:

  • Axios main at commit f7a4ee2
  • Node v24.2.0

Steps:

  1. Start an HTTP server that returns a 2 MiB response body.
  2. Call Axios with:
    • adapter: 'http'
    • responseType: 'stream'
    • maxContentLength: 1024
  3. Read the returned stream fully.

Observed:

  • Success; full 2097152 bytes readable.

Control check:

  • Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded.

Impact

Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.

EPSS Score: 0.00051 (0.156)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-770

Allocation of Resources Without Limits or Throttling

ADVISORY - github

CWE-770

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-42036
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-770

CVSS SCORE

5.3medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-vf2m-468p-8v99
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-770

CVSS SCORE

5.3medium

Debian

CREATED

UPDATED

ADVISORY IDCVE-2026-42036
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2026-42036
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-7hfx-f52c-jx67

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-2hwr-869m-472h

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8r9c-qvj8-494g

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-cvhp-8mgq-xpg2

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-q2f5-vqq4-w4mq

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-vfh5-3cjw-w3rp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-xw9w-h925-435c

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY