Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-777C-7FJR-54VF

Vulnerability from github – Published: 2026-06-04 14:21 – Updated: 2026-06-04 14:21

Summary

Allocation of Resources Without Limits or Throttling in Axios

Details

Summary

Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured.

This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary.

Impact

The impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.

This does not affect axios’s default unlimited behaviour by itself: maxContentLength and maxBodyLength default to -1. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.

Server-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.

Affected Functionality

Affected functionality includes requests using the built-in fetch adapter with finite maxContentLength or maxBodyLength values.

Relevant configurations include:

adapter: 'fetch'
adapter: ['fetch', ...] when fetch is selected
environments where neither xhr nor http is available and axios falls back to fetch
custom fetch environments configured through env.fetch

Unaffected functionality includes:

Node.js default http adapter enforcement
versions before the fetch adapter was introduced
configurations that do not rely on finite axios size limits

Technical Details

In vulnerable versions, lib/adapters/fetch.js destructured request config without maxContentLength or maxBodyLength. The adapter dispatched fetch() and then materialized the response through text(), arrayBuffer(), blob(), or related resolvers without checking the configured response limit.

The fix in e5540dc added:

maxContentLength and maxBodyLength reads in lib/adapters/fetch.js
upfront data: URL decoded-size checks
outbound body-size checks before dispatch
Content-Length response pre-checks
streaming response enforcement
fallback checks for environments without ReadableStream
regression tests in tests/unit/adapters/fetch.test.js

Proof of Concept of Attack

import http from 'node:http';
import axios from 'axios';

const server = http.createServer((req, res) => {
  let received = 0;

  req.on('data', chunk => {
    received += chunk.length;
  });

  req.on('end', () => {
    res.end(JSON.stringify({ received }));
  });
});

await new Promise(resolve => server.listen(0, resolve));
const url = `http://127.0.0.1:${server.address().port}/`;

await axios.post(url, 'A'.repeat(2 * 1024 * 1024), {
  adapter: 'fetch',
  maxBodyLength: 1024
});

// Vulnerable versions succeed and the server receives 2097152 bytes.
// Fixed versions reject with ERR_BAD_REQUEST.

server.close();

Workarounds

Use the Node.js http adapter for server-side requests where finite size limits are security-relevant.

Validate or cap attacker-controlled request bodies before passing them to axios.

Reject or strictly allowlist attacker-controlled URL schemes, especially data: URLs, before calling axios.

Original Report ### Summary When Axios is used with adapter: 'fetch', configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage. ### Details maxBodyLength and maxContentLength are not applied in the fetch adapter flow: - lib/adapters/fetch.js (146-160): config destructuring does not include these controls. - lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement. - lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks. By contrast, the HTTP adapter enforces both limits. ### PoC Environment: - Axios main at commit f7a4ee2 - Node v24.2.0 Steps: 1. Start an HTTP server that counts received bytes and echoes {received}. 2. Send 2 MiB with: - adapter: 'fetch' - maxBodyLength: 1024 3. Request a 4 KiB data: URL with: - adapter: 'fetch' - maxContentLength: 16 Expected secure behavior: both requests rejected. Observed: - Upload: success, server received 2097152 - data: response: success, length 4096 ### Impact Type: DoS / resource exhaustion due to limit bypass. Impacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:21:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAxios versions `1.7.0` through `1.15.x` did not enforce configured request and response size limits when requests were sent with the `fetch` adapter. Applications that selected `adapter: \u0027fetch\u0027`, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than `maxContentLength` or `maxBodyLength` despite those limits being explicitly configured.\n\nThis can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large `data:` URL, or when an application forwards attacker-controlled request bodies through axios while relying on `maxBodyLength` as a boundary.\n\n## Impact\n\nThe impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.\n\nThis does not affect axios\u2019s default unlimited behaviour by itself: `maxContentLength` and `maxBodyLength` default to `-1`. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.\n\nServer-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.\n\n## Affected Functionality\n\nAffected functionality includes requests using the built-in `fetch` adapter with finite `maxContentLength` or `maxBodyLength` values.\n\nRelevant configurations include:\n\n- `adapter: \u0027fetch\u0027`\n- `adapter: [\u0027fetch\u0027, ...]` when `fetch` is selected\n- environments where neither `xhr` nor `http` is available and axios falls back to `fetch`\n- custom fetch environments configured through `env.fetch`\n\nUnaffected functionality includes:\n\n- Node.js default `http` adapter enforcement\n- versions before the fetch adapter was introduced\n- configurations that do not rely on finite axios size limits\n\n## Technical Details\n\nIn vulnerable versions, `lib/adapters/fetch.js` destructured request config without `maxContentLength` or `maxBodyLength`. The adapter dispatched `fetch()` and then materialized the response through `text()`, `arrayBuffer()`, `blob()`, or related resolvers without checking the configured response limit.\n\nThe fix in `e5540dc` added:\n\n- `maxContentLength` and `maxBodyLength` reads in `lib/adapters/fetch.js`\n- upfront `data:` URL decoded-size checks\n- outbound body-size checks before dispatch\n- `Content-Length` response pre-checks\n- streaming response enforcement\n- fallback checks for environments without `ReadableStream`\n- regression tests in `tests/unit/adapters/fetch.test.js`\n\n## Proof of Concept of Attack\n\n```js\nimport http from \u0027node:http\u0027;\nimport axios from \u0027axios\u0027;\n\nconst server = http.createServer((req, res) =\u003e {\n  let received = 0;\n\n  req.on(\u0027data\u0027, chunk =\u003e {\n    received += chunk.length;\n  });\n\n  req.on(\u0027end\u0027, () =\u003e {\n    res.end(JSON.stringify({ received }));\n  });\n});\n\nawait new Promise(resolve =\u003e server.listen(0, resolve));\nconst url = `http://127.0.0.1:${server.address().port}/`;\n\nawait axios.post(url, \u0027A\u0027.repeat(2 * 1024 * 1024), {\n  adapter: \u0027fetch\u0027,\n  maxBodyLength: 1024\n});\n\n// Vulnerable versions succeed and the server receives 2097152 bytes.\n// Fixed versions reject with ERR_BAD_REQUEST.\n\nserver.close();\n```\n\n## Workarounds\n\nUse the Node.js `http` adapter for server-side requests where finite size limits are security-relevant.\n\nValidate or cap attacker-controlled request bodies before passing them to axios.\n\nReject or strictly allowlist attacker-controlled URL schemes, especially `data:` URLs, before calling axios.\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Report\u003c/summary\u003e\n\n### Summary\nWhen Axios is used with adapter: \u0027fetch\u0027, configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage.\n\n### Details\nmaxBodyLength and maxContentLength are not applied in the fetch adapter flow:\n  - lib/adapters/fetch.js (146-160): config destructuring does not include these controls.\n  - lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement.\n  - lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks.\nBy contrast, the HTTP adapter enforces both limits.\n\n### PoC\n  Environment:\n  - Axios main at commit f7a4ee2\n  - Node v24.2.0\n\nSteps:\n  1. Start an HTTP server that counts received bytes and echoes {received}.\n  2. Send 2 MiB with:\n      - adapter: \u0027fetch\u0027\n      - maxBodyLength: 1024\n  3. Request a 4 KiB data: URL with:\n      - adapter: \u0027fetch\u0027\n      - maxContentLength: 16\n\nExpected secure behavior: both requests rejected.\n Observed:\n  - Upload: success, server received 2097152\n  - data: response: success, length 4096\n\n### Impact\nType: DoS / resource exhaustion due to limit bypass.\nImpacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.\n\u003c/details\u003e\n\n---",
  "id": "GHSA-777c-7fjr-54vf",
  "modified": "2026-06-04T14:21:37Z",
  "published": "2026-06-04T14:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10795"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10796"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Allocation of Resources Without Limits or Throttling in Axios"
}