Allocation of Resources Without Limits or Throttling in axios - #VU136915

 

Allocation of Resources Without Limits or Throttling in axios - #VU136915

Published: July 6, 2026


Vulnerability identifier: #VU136915
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: axios
Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to cause resource consumption and exhaust upstream quotas or bandwidth.

The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing attacker-controlled unknown-length WHATWG ReadableStream request bodies. A remote attacker can supply a specially crafted streamed request body to cause resource consumption and exhaust upstream quotas or bandwidth.

Exploitation requires an application to use the fetch adapter, set a finite maxBodyLength value, and pass attacker-controlled stream data without a reliable Content-Length.


Remediation

Install security update from vendor's website.

Sources