CVE-2026-42034 MEDIUM

CVE-2026-42034: Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Vendor Axios
Product axios
Weakness CWE-770 · Uncontrolled resource consumption
Published April 24, 2026
Last update April 24, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated