Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Description

For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 0.31.0

  >= 1.0.0, < 1.15.1**

• Patched version(s): **0.31.1

  1.15.1**

References

• GHSA-5c9x-8gcm-mpgx
• CVE-2026-42034
• CWE-770
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Axios: HTTP adapter streamed responses bypass maxContentLength - CVE-2026-42036
• Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
• @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass - CVE-2026-40073
• Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

axios