Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
- Severity:
- Medium
Description
The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.0, < 1.15.1
- Patched version(s): 1.15.1
References
Related Issues
- Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - CVE-2022-35948
- SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763
- Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API - CVE-2026-45719
- Undici has CRLF Injection in undici via `upgrade` option - CVE-2026-1527
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026