CVE-2026-42036
published 2026-04-24CVE-2026-42036: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response…
medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This vulnerability is fixed in 1.15.1 and 0.31.1.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp22 | system | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| axios | axios | < 0.31.1 | 0.31.1 |
| axios | axios | — | — |
| axios | axios | — | — |
| axios | axios | >= 0 < 0.31.1 | 0.31.1 |
| axios | axios | >= 1.0.0 < 1.15.1 | 1.15.1 |
| axios | axios | >= 1.0.0 < 1.15.1 | 1.15.1 |
| boost | boost | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |