← Back

CVE-2026-44488

nvd nist
Published: Jun 11, 2026Modified: Jun 12, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 3.9 / Impact: 3.6
Source: security-advisories@github.com (Secondary)

Description

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.

Affected (1)

Products: Axios: Axios
Axios
1 product
Axios
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Axios
From 1.7.0 to 1.16.0

Related CWEs

CWE-770
Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (2)

Source: security-advisories@github.com
ExploitVendor AdvisoryMitigation
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor AdvisoryMitigation

Timeline

No history available yet.