Allocation of Resources Without Limits or Throttling in axios - #VU136915
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to cause resource consumption and exhaust upstream quotas or bandwidth.
The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing attacker-controlled unknown-length WHATWG ReadableStream request bodies. A remote attacker can supply a specially crafted streamed request body to cause resource consumption and exhaust upstream quotas or bandwidth.
Exploitation requires an application to use the fetch adapter, set a finite maxBodyLength value, and pass attacker-controlled stream data without a reliable Content-Length.