Main Vulnerability Database Vulnerabilities #VU127597

Null Byte Interaction Error (Poison Null Byte) in axios - #VU127597

Published: April 24, 2026

Vulnerability identifier: #VU127597

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-626

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: axios

Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to inject raw null bytes into serialized URL query parameters.

The vulnerability exists due to null byte interaction error in lib/helpers/AxiosURLSearchParams.js encode() function when serializing parameters through AxiosURLSearchParams.toString() without an encoder or through custom paramsSerializer delegation. A remote attacker can supply crafted input containing null bytes to inject raw null bytes into serialized URL query parameters.

The standard axios request flow using buildURL is not affected, and exploitation is limited to direct AxiosURLSearchParams usage or custom serializer paths that delegate to the internal encoder.

Remediation

Install security update from vendor's website.

Sources

https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw

Null Byte Interaction Error (Poison Null Byte) in axios - #VU127597

Detailed vulnerability description

Remediation

Sources

Please verify you're human