CVE-2026-42037 - Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Axios	Axios

Configuration 1 [-]

cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77
https://nvd.nist.gov/vuln/detail/CVE-2026-42037
https://www.cve.org/CVERecord?id=CVE-2026-42037

History

Wed, 29 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-42037 https://www.cve.org/CVERecord?id=CVE-2026-42037
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 27 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axios Axios axios
CPEs		cpe:2.3:a:axios:axios::::::node.js::*
Vendors & Products		Axios Axios axios

Fri, 24 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.
Title		Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Weaknesses		CWE-93
References		https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T17:58:16.058Z

Updated: 2026-04-27T17:37:06.975Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42037

Vulnrichment

Updated: 2026-04-27T17:36:41.198Z

NVD

Status : Analyzed

Published: 2026-04-24T18:16:30.543

Modified: 2026-04-27T19:54:56.873

Link: CVE-2026-42037

Redhat

Severity : Moderate

Publid Date: 2026-04-24T17:58:16Z

Links: CVE-2026-42037 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object