Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
- Severity:
- Low
Description
No description available.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - CVE-2026-42037
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
- Axios: Header Injection via Prototype Pollution - CVE-2026-42035
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - CVE-2026-40175
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026