CVE-2026-42036

Summary

When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.

Details

In lib/adapters/http.js:

• 786-789: for responseType === 'stream', Axios immediately settles with the stream.
• 797-810: maxContentLength enforcement exists only in the non-stream buffering branch.

So callers may set maxContentLength and still receive/read arbitrarily large streamed responses.

PoC

Environment:

• Axios main at commit f7a4ee2
• Node v24.2.0

Steps:

1. Start an HTTP server that returns a 2 MiB response body.
2. Call Axios with:
   • adapter: 'http'
   • responseType: 'stream'
   • maxContentLength: 1024
3. Read the returned stream fully.

Observed:

• Success; full 2097152 bytes readable.

Control check:

• Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded.

Impact

Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.