CVE-2026-42034: maxBodyLength Bypass in Axios Node.js Stream Transport

Axios operates as a universal HTTP client, supporting both browser and server environments. In Node.js environments, it relies on the internal http and https modules to facilitate network requests. This vulnerability manifests in the HTTP adapter component responsible for dispatching outbound server-side requests. The flaw exclusively affects the Node.js execution environment; browser-based implementations relying on XMLHttpRequest or the Fetch API are not affected.

The vulnerability is classified under CWE-770: Allocation of Resources Without Limits or Throttling. The core issue involves a failure to enforce configured request boundaries during the transmission of stream-based payloads. When specific configuration parameters are supplied, Axios skips its internal byte-tracking mechanisms.

By bypassing the maxBodyLength restriction, an application transmits streams of indeterminate size to remote endpoints. This results in resource exhaustion, primarily manifesting as excessive network bandwidth utilization on the host system. The lack of bounds checking compromises the availability of the application's outbound networking capabilities.

The branching logic within the Axios HTTP adapter (lib/adapters/http.js) governs how requests are handled based on their configuration. When maxRedirects is set to a value greater than zero, Axios routes the request through the follow-redirects library. This external library intercepts the request payload, monitors the bytes being written to the socket, and enforces the maxBodyLength threshold by throwing an error if the limit is exceeded.

When a developer explicitly sets maxRedirects to zero, the adapter logic bypasses the follow-redirects wrapper. The architectural intent behind this conditional branch is performance optimization, as redirect tracking is deemed unnecessary. The code falls back to utilizing the native Node.js http.request or https.request interfaces directly.

If the provided request payload is an instance of a Readable stream, the adapter executes a direct pipe operation (data.pipe(req)) to the native ClientRequest object. The native Node.js transport lacks internal awareness of Axios-level configuration parameters, including maxBodyLength. Consequently, the stream pipes data continuously without any intermediary proxy to track throughput, ignoring the configured limits entirely.

The vulnerable implementation resides in the native transport fallback path within the Axios HTTP adapter. The logic relies on a standard Node.js stream pipe operation to transfer data from the source to the outgoing network socket.

// Vulnerable logic in lib/adapters/http.js
if (utils.isStream(data)) {
  data.on('error', function handleStreamError(err) {
    req.emit('error', err);
  });
  // Direct pipe without length validation
  data.pipe(req);
}

This implementation fails because the pipe method does not inherently track data throughput against an upper limit. The remediation addresses this flaw by updating the follow-redirects library to version 1.16.0 via commit 770f5ef811fc6ec8e7cea4ff40eb83542957bc3. The updated library implements native length-aware proxying even when HTTP redirects are disabled.

With the patched dependency, the follow-redirects implementation injects a byte-counting mechanism into the stream pipeline. It accumulates chunk sizes as they pass through the stream and emits an error if the sum exceeds the specified threshold. This update ensures that piped streams are subjected to the same validation as static string or buffer bodies, correctly severing the pipe connection upon breach of the configured limit.

Exploiting this vulnerability requires highly specific environmental and configuration conditions. The target application must execute in a Node.js environment. Furthermore, the attacker must have the ability to supply or influence the size of a stream uploaded via the application, such as through a file upload endpoint or a proxy service.

The target Axios request must be configured with maxRedirects: 0 alongside a restrictive maxBodyLength. When the attacker provides a Readable stream that greatly exceeds the defined maximum length, the application begins execution of the request. Axios subsequently ignores the size constraint and transmits the entire malicious payload across the network.

The following proof-of-concept demonstrates the mechanics of the bypass. The script initializes a dummy stream configured to generate continuous output and passes it to an Axios POST request. Despite the explicit 100-byte limit, the script transmits unbounded data.

const axios = require('axios');
const { Readable } = require('stream');
 
const largeStream = new Readable({
  read(size) {
    this.push(Buffer.alloc(size, 'a'));
  }
});
 
axios.post('http://example.com/upload', largeStream, {
  maxBodyLength: 100,
  maxRedirects: 0
}).catch(err => console.error('Error:', err.message));

The direct impact of this vulnerability is resource exhaustion, leading to an Endpoint Denial of Service (T1499). An attacker leverages the flawed logic to force the target application into generating massive volumes of outbound traffic. This consumes available network bandwidth on the host infrastructure running the vulnerable Node.js application.

The vulnerability additionally impacts the remote destination server receiving the oversized request payload. If the upstream server lacks independent request size validation at the reverse proxy or application layer, it processes the massive stream directly. This action depletes memory reserves, consumes disk space, or triggers excessive CPU utilization on the receiving end.

The CVSS v3.1 score is calculated as 5.3 (Medium). The attack vector is strictly Network-based, and the complexity required to exploit it is Low. The impact is isolated to the Availability metric, with Confidentiality and Integrity remaining completely unaffected. The EPSS score indicates a very low probability of active exploitation in the wild (0.05%), due to the specific API configuration parameters required to trigger the bug.

The definitive remediation for this vulnerability requires upgrading Axios to a patched version. Development teams must update to Axios version 1.15.1 or version 0.31.1 for legacy 0.x implementations. This upgrade integrates the required upstream dependency fixes by bumping the follow-redirects package to version 1.16.0 or higher.

If an immediate dependency upgrade is not technically feasible, developers must implement manual byte-counting logic before supplying streams to the Axios API. This strategy involves attaching data event listeners directly to the stream and accumulating the lengths of incoming byte chunks. If the sum surpasses the allowed limit, the stream is manually destroyed.

let bytesRead = 0;
const limit = 1048576; // 1MB limit
 
stream.on('data', (chunk) => {
  bytesRead += chunk.length;
  if (bytesRead > limit) {
    stream.destroy(new Error('Max body length exceeded'));
  }
});

Security and engineering teams should proactively audit all source code utilizing the Axios library. The audit should identify specific combinations of maxRedirects: 0 and stream-based inputs. Removing the maxRedirects: 0 override where it is strictly unnecessary restores standard request behavior, implicitly mitigating the native transport bypass by routing the traffic back through the enforced follow-redirects path.