Vulnerability Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Axios | Axios | >= 1.0.0, < 1.15.1 |
Related Weaknesses (CWE)
References
- https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77ExploitMitigationVendor Advisory
- https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-42037?
CVE-2026-42037 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the...
How severe is CVE-2026-42037?
CVE-2026-42037 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42037?
Check the references section above for vendor advisories and patch information. Affected products include: Axios Axios.