CVE-2026-42040 - Vulnerability Details

- Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

Published: 2026-04-24

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Axios HTTP client contains a flaw in the encode() function used for URL query string generation. The function contains a mapping that intentionally reverses percent‑encoded null bytes, turning the safe %00 sequence back into a raw null byte. This allows an attacker to inject a null byte into data that is passed through the encoder, potentially corrupting downstream string handling or truncating values at null boundaries. While the vulnerability does not affect the standard request flow of Axios, it could be exploited in custom usage patterns or by libraries that reuse the encoder without full control.

Affected Systems

Axios releases before 1.15.1 and 0.31.1 are affected. The issue exists in the Axios library for both browser and Node.js environments. Any deployment that uses Axios directly or through a dependency graph that pulls in the vulnerable version is impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity. The EPSS score is below 1%, indicating a low probability of active exploitation, and Axios is not listed in CISA KEV catalog. The likely attack vector is via crafted URLs or direct usage of the encode() function to inject a raw null byte. Because the injection could cause data truncation or corruption, the impact is primarily data integrity rather than confidentiality or availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

axios

affected

Version	Status	Constraints
`>= 1.0.0, < 1.15.1`	affected	—
`< 0.31.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:axios:axios::::::node.js::*
	cpe:2.3:a:axios:axios::::::node.js::*

No data.

Vendor Product Confidence Versions

Axios

100%

Version	Status	Scheme	Platform
`[1.0.0,1.15.1)`	affected	semver	—
`[0,0.31.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Axios to version 1.15.1 or later, or to 0.31.1 or later, to remove the reverse mapping flaw.
Avoid using AxiosURLSearchParams.encode() directly; sanitize input data to ensure no raw null bytes are passed to the encoder.
Review any third‑party libraries or custom code that constructs URLs via AxiosURLSearchParams in order to detect and eliminate any raw null byte injection points.

Generated by OpenCVE AI on April 28, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xhjh-pmcv-23jw	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axios Axios axios
CPEs		cpe:2.3:a:axios:axios::::::node.js::*
Vendors & Products		Axios Axios axios

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.
Title		Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
Weaknesses		CWE-116 CWE-626
References		https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Axios Axios

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T17:40:31.125Z

Updated: 2026-04-27T13:48:06.659Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42040

Vulnrichment

Updated: 2026-04-27T13:47:53.257Z

NVD

Status : Analyzed

Published: 2026-04-24T18:16:30.960

Modified: 2026-04-27T20:09:07.257

Link: CVE-2026-42040

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object