Description
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Published: 2026-06-11
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios did not enforce configured request or response size limits when the fetch adapter was used, allowing attacker-controlled payloads to exceed the configured maxContentLength or maxBodyLength thresholds. This can cause a server to consume excessive memory or network resources, leading to a denial of service. The weakness corresponds to CWE-770, "Unchecked Input Size for Resource Allocation."

Affected Systems

JavaScript applications that use the axios library, specifically versions 1.7.0 through 1.15.x, are affected when the fetch adapter is active. This includes Node.js and browser environments that default to the fetch adapter. The vulnerability is mitigated in axios 0.32.0 and 1.16.0 and later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity; the EPSS score is not available and the vulnerability is not listed in CISA KEV. An attacker can exploit the flaw by either providing an oversized response from a malicious or compromised server, submitting a large data: URL, or forwarding large request bodies through axios while relying on the misapplied body length limits. The attack is feasible in any scenario where user input is forwarded with axios and the fetch adapter is present, making it a significant risk to applications that cannot immediately update the library.

Generated by OpenCVE AI on June 11, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade axios to version 1.16.0 or later (or 0.32.0 or later).
  • If an upgrade is not immediately possible, validate all incoming request bodies and reject them if they exceed an imposed size limit before passing data to axios.
  • Disable the fetch adapter in environments that automatically select it, or replace it with a custom adapter that respects configured size limits.

Generated by OpenCVE AI on June 11, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-777c-7fjr-54vf Allocation of Resources Without Limits or Throttling in Axios
History

Thu, 11 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Title Axios: Allocation of Resources Without Limits or Throttling in axios
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:27:29.931Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44488

cve-icon Vulnrichment

Updated: 2026-06-11T18:16:18.709Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T17:16:32.750

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-44488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:30:28Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling