CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios

Axios is a widely utilized promise-based HTTP client for browser and Node.js environments. The library includes various helper modules for data processing, including AxiosURLSearchParams, which handles the serialization of URL parameters. This specific module processes key-value pairs and converts them into URL-encoded query strings suitable for HTTP transmission.

A logic flaw exists within the internal encoding mechanism of this helper class, classified as a Null Byte Interaction Error (CWE-626). During the parameter serialization phase, the encoder applies a secondary replacement function after standard URI encoding. This secondary function is intended to restore specific characters for aesthetic or compatibility reasons.

Due to an incorrect mapping in this secondary step, safe URL-encoded null bytes (%00) are actively replaced with raw null byte characters (\x00). This results in the injection of literal null bytes into the final outgoing request payload. The vulnerability primarily affects environments utilizing Axios versions prior to 0.31.1, as well as the 1.x branch prior to version 1.15.1.

The defect resides in the post-processing phase of the encode utility within lib/helpers/AxiosURLSearchParams.js. The encode function is designed to take an input string, apply the native JavaScript encodeURIComponent function, and then run a custom regular expression replacement. The native function operates correctly, taking an input containing \x00 and converting it safely to %00.

The vulnerability is introduced by the custom replacement logic that immediately follows. The code utilizes a regular expression /[!'()~]|%20|%00/g to identify specific encoded sequences for further modification. When a match is found, the character sequence is passed to a lookup object named charMap to determine the final output string.

The charMap object contains a severe misconfiguration. It explicitly defines a mapping of '%00': '\x00', instructing the application to take the safe %00 string and convert it back into a raw, unencoded null byte. Consequently, any parameter value initially containing a null byte will successfully pass through the standard encoding phase only to be reverted to an unsafe state before transmission.

An examination of the vulnerable source code clearly highlights the encoding regression. The charMap object serves as a static translation dictionary. While most entries handle standard character normalization, the final entry deliberately targets encoded null bytes.

const charMap = {
  '!': '%21',
  "'": '%27',
  '(': '%28',
  ')': '%29',
  '~': '%7E',
  '%20': '+',
  '%00': '\x00' // Vulnerable entry reversing safe encoding
};
 
function encode(val) {
  return encodeURIComponent(val).replace(/[!'()~]|%20|%00/g, (char) => {
    return charMap[char];
  });
}

The patched versions resolve this issue by removing both the dictionary entry and its corresponding trigger in the regular expression. This ensures that the native JavaScript encoding remains intact and is not tampered with by the secondary string replacement function.

const charMap = {
  '!': '%21',
  "'": '%27',
  '(': '%28',
  ')': '%29',
  '~': '%7E',
  '%20': '+'
};
 
function encode(val) {
  return encodeURIComponent(val).replace(/[!'()~]|%20/g, (char) => {
    return charMap[char];
  });
}

Exploitation requires a high degree of complexity due to the non-default execution path. The standard Axios request flow, governed by buildURL.js, does not invoke the flawed AxiosURLSearchParams module by default. An application must explicitly configure a custom paramsSerializer or manually instantiate the vulnerable class to process user-supplied input.

If the prerequisite conditions are met, an attacker can submit a payload containing a literal null byte within a query parameter or form field. The application processes this input, passes it to the flawed serialization function, and constructs an HTTP request containing the raw \x00 byte. This request is then transmitted to the target backend or proxy infrastructure.

The success of the exploit ultimately depends on the behavior of the downstream sink. The raw null byte must cause a parsing anomaly, such as premature string termination in C/C++ backends or evaluation logic bypasses within a Web Application Firewall.

The primary security impact involves the manipulation of downstream systems that expect strictly conforming HTTP parameters. When a raw null byte is injected into a URL or form-encoded body, systems developed in memory-unsafe languages or utilizing legacy CGI parsers may interpret the byte as a string terminator. This forces the parser to discard the remainder of the parameter string, potentially altering application logic.

A secondary consequence is the potential to bypass security filters and Web Application Firewalls (WAFs). A WAF that performs strict validation against URL-encoded inputs may halt inspection upon encountering an unexpected raw null byte. This truncation allows malicious payloads appended after the null byte to pass through the filter undetected, arriving at the backend application intact.

Despite these vectors, the vulnerability is assigned a low CVSS score of 3.7. The high attack complexity, requirement for non-standard developer configurations, and reliance on specific downstream architecture significantly restrict the practical blast radius of this flaw.

The definitive remediation strategy is upgrading the Axios dependency to a patched release. Development teams must ensure their package managers resolve Axios to version 1.15.1 or greater for the 1.x branch, or version 0.31.1 for legacy codebases. This fully removes the flawed mapping from the internal encoding module.

In environments where immediate patching is unfeasible, developers should audit their codebase for custom paramsSerializer implementations. Any logic that explicitly delegates parameter encoding to the AxiosURLSearchParams class should be temporarily replaced with native JavaScript URLSearchParams or standard encodeURIComponent calls.

As a defense-in-depth measure, all applications should implement strict input validation at the outer boundary. Unprintable control characters, including null bytes (\x00), should be actively sanitized or rejected before they reach underlying HTTP client libraries. This practice mitigates similar injection vectors across the application stack.