Resource exhaustion in axios - #VU136916

 

Resource exhaustion in axios - #VU136916

Published: July 6, 2026


Vulnerability identifier: #VU136916
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: axios
Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote user to cause uncontrolled resource consumption.

The vulnerability exists due to uncontrolled resource consumption in the Node.js HTTP/2 upload handling in the HTTP adapter when processing attacker-controlled streamed request bodies with httpVersion: 2 and a finite maxBodyLength. A remote user can supply a specially crafted oversized stream to cause uncontrolled resource consumption.

Only the Node.js HTTP adapter is affected. Browser adapters are not affected, and buffered request bodies are checked before the request is sent.


Remediation

Install security update from vendor's website.

Sources