Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
- Severity:
- Medium
Description
For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios: HTTP adapter streamed responses bypass maxContentLength - CVE-2026-42036
- Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
- Axios HTTP/2 Session Cleanup State Corruption Vulnerability - CVE-2026-39865
- Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026


