MEDIUM 5.3

GHSA-vf2m-468p-8v99

Axios: HTTP adapter streamed responses bypass maxContentLength

Details

### Summary

When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.

### Details In lib/adapters/http.js: - 786-789: for responseType === 'stream', Axios immediately settles with the stream. - 797-810: maxContentLength enforcement exists only in the non-stream buffering branch.

So callers may set maxContentLength and still receive/read arbitrarily large streamed responses.

### PoC

Environment: - Axios main at commit f7a4ee2 - Node v24.2.0

Steps:

1. Start an HTTP server that returns a 2 MiB response body. 2. Call Axios with: - adapter: 'http' - responseType: 'stream' - maxContentLength: 1024 3. Read the returned stream fully.

Observed: - Success; full 2097152 bytes readable.

Control check: - Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded.

### Impact Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / axios

Introduced in: 1.0.0 Fixed in: 1.15.1

Fix npm install axios@1.15.1

npm / axios

Introduced in: 0 Fixed in: 0.31.1

Fix npm install axios@0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-42036 [ADVISORY]
https://github.com/axios/axios [PACKAGE]