What is CVE-2026-42036?

### Summary When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. ### Details In lib/adapters/http.js: - 786-789: for responseType === 'stream', Axios immediately settles with the stream. - 797-810: maxContentLength enforcement exists only in the non-stream buffering branch. So callers may set maxContentLength and still receive/read arbitrarily large streamed responses. ### PoC Environment: - Axios main at commit f7a4ee2 - Node v24.2.0 Steps: 1. Start an HTTP server that returns a 2 MiB response body. 2. Call Axios with: - adapter: 'http' - responseType: 'stream' - maxContentLength: 1024 3. Read the returned stream fully. Observed: - Success; full 2097152 bytes readable. Control check: - Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded. ### Impact Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.

What is the severity of CVE-2026-42036?

CVE-2026-42036 has a CVSS v3 score of 5.3, which is classified as Medium severity.

Is there an exploit available for CVE-2026-42036?

No known public exploits are currently available for CVE-2026-42036.

Is there a patch available for CVE-2026-42036?

Yes, patches are available for CVE-2026-42036. Check the vendor advisories for update instructions.

CVE-2026-42036 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v35.3

CVSS v20.0

Priority Score124.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.3

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.

Details

In lib/adapters/http.js:

786-789: for responseType === 'stream', Axios immediately settles with the stream.
797-810: maxContentLength enforcement exists only in the non-stream buffering branch.

So callers may set maxContentLength and still receive/read arbitrarily large streamed responses.

PoC

Environment:

Axios main at commit f7a4ee2
Node v24.2.0

Steps:

Start an HTTP server that returns a 2 MiB response body.
Call Axios with:
- adapter: 'http'
- responseType: 'stream'
- maxContentLength: 1024
Read the returned stream fully.

Observed:

Success; full 2097152 bytes readable.

Control check:

Same endpoint with responseType: 'text' and same maxContentLength: rejected with maxContentLength size of 1024 exceeded.

Impact

Type: DoS / unbounded response processing. Impacted: Node.js applications relying on maxContentLength as a safety boundary while using streamed Axios responses.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:Local

Patch References

Security [email protected]

Ready for Agentic Automated Testing?

CVE-2026-42036

Summary

Details

PoC

Impact