Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
- Severity:
- Medium
Description
The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.0, < 1.15.1
- Patched version(s): 1.15.1
References
Related Issues
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - CVE-2026-42040
- @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input - CVE-2026-42853
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026


