CVE-2026-42037 — CRLF Injection in Axios
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 85.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 24
Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypa…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages59 packages
🔴Vulnerability Details
1VulDB▶
Axios up to 1.15.0 Content-Type Header formDataToStream.js crlf injection (GHSA-445q-vr5w-6q77)↗2026-04-24
📋Vendor Advisories
1Red Hat▶
axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header↗2026-04-24
💬Community
1Bugzilla▶
CVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header↗2026-04-24