logo

Database

Asymmetric denial of service In node-axios

Description

Axios: HTTP adapter streamed responses bypass maxContentLength

Summary

When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.

Details

In lib/adapters/http.js:

    786-789: for responseType === 'stream', Axios immediately settles with the stream.

    797-810: maxContentLength enforcement exists only in the non-stream buffering branch.

So callers may set maxContentLength and still receive/read arbitrarily large streamed responses.

PoC

Environment:

    Axios main at commit f7a4ee2

    Node v24.2.0

Steps:

    Start an HTTP server that returns a 2 MiB response body.

    Call Axios with:

      adapter: 'http'

      responseType: 'stream'

      maxContentLength: 1024

    Read the returned stream fully.

Observed:

    Success; full 2097152 bytes readable.

Control check:

    Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded.

Impact

Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-420362. NVD-2026-420363. OSV-DEBIAN-2026-420364. OSV-2026-420365. GHSA-vf2m-468p-8v996. GCVE-2026-420367. SECURITY-TRACKER-CVE-2026-42036

References

1. https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.