Description
When responseType: ‘stream’ is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - CVE-2026-42034
- Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass - CVE-2026-40073
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026