Resource exhaustion in axios - #VU136916
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to cause uncontrolled resource consumption.
The vulnerability exists due to uncontrolled resource consumption in the Node.js HTTP/2 upload handling in the HTTP adapter when processing attacker-controlled streamed request bodies with httpVersion: 2 and a finite maxBodyLength. A remote user can supply a specially crafted oversized stream to cause uncontrolled resource consumption.
Only the Node.js HTTP adapter is affected. Browser adapters are not affected, and buffered request bodies are checked before the request is sent.