Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.
Published: 2026-04-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Header Injection Leading to Potential Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from a lack of sanitization on the blob.type field in Axios v1.0.0 through v1.15.0. The FormDataPart constructor inserts this field directly into the Content‑Type header of each multipart body part, allowing an attacker who controls the type property to inject CRLF sequences. The injection of arbitrary MIME headers into the multipart/form‑data body can alter the behavior of servers or clients that parse the payload, potentially leading to information disclosure or request manipulation. This flaw is a classic example of CWE‑93: Improper Neutralization of Special Elements used in an Argument.

Affected Systems

Axios 1.0.0 up to, but not including, 1.15.1 is affected on both browser and Node.js environments. Applications that accept user‑uploaded Blob or File‑like objects and forward them via Axios as multipart/form‑data are potentially vulnerable. The vulnerability is present in versions 1.0.0 through 1.15.0. Updating to 1.15.1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the observed market. The flaw is not yet listed in CISA's KEV catalog. Exploitation requires an application boundary where an attacker can supply a Blob with a crafted type string, such as through a file‑upload endpoint. Because the injection occurs within the multipart body rather than HTTP headers, it can bypass Node.js v18+ built‑in header sanitization, giving the attacker a method to insert rogue MIME headers that could affect downstream processing. The impact is confined to applications that process the multipart payload without additional validation.

Generated by OpenCVE AI on April 28, 2026 at 05:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Axios to version 1.15.1 or later.
  • If updating is not immediately possible, sanitize the type attribute of any Blob/File‑like objects before they are passed to Axios, stripping or escaping CRLF characters and limiting to a safe set of MIME types.
  • Enforce strict MIME type validation on the server side for user‑uploaded files, rejecting or neutralizing any payload with embedded CRLF sequences.

Generated by OpenCVE AI on April 28, 2026 at 05:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-445q-vr5w-6q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
History

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.
Title Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T17:37:06.975Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42037

cve-icon Vulnrichment

Updated: 2026-04-27T17:36:41.198Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:30.543

Modified: 2026-04-27T19:54:56.873

Link: CVE-2026-42037

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T17:58:16Z

Links: CVE-2026-42037 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses