Vulnerability-Lookup

CVE-2026-44488 (GCVE-0-2026-44488)

Vulnerability from cvelistv5 – Published: 2026-06-11 15:37 – Updated: 2026-06-11 18:27

Title

Axios: Allocation of Resources Without Limits or Throttling in axios

Summary

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.7.0, < 1.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44488",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T18:16:26.938269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T18:27:29.931Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: \u0027fetch\u0027, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T15:37:38.013Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
        }
      ],
      "source": {
        "advisory": "GHSA-777c-7fjr-54vf",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Allocation of Resources Without Limits or Throttling in axios"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44488",
    "datePublished": "2026-06-11T15:37:38.013Z",
    "dateReserved": "2026-05-06T17:18:51.783Z",
    "dateUpdated": "2026-06-11T18:27:29.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44488\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-11T17:16:32.750\",\"lastModified\":\"2026-06-11T20:56:29.653\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: \u0027fetch\u0027, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44488\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-11T18:16:26.938269Z\"}}}], \"references\": [{\"url\": \"https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-11T18:16:18.709Z\"}}], \"cna\": {\"title\": \"Axios: Allocation of Resources Without Limits or Throttling in axios\", \"source\": {\"advisory\": \"GHSA-777c-7fjr-54vf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"axios\", \"product\": \"axios\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.7.0, \u003c 1.16.0\"}]}], \"references\": [{\"url\": \"https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf\", \"name\": \"https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: \u0027fetch\u0027, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-11T15:37:38.013Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44488\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-11T18:27:29.931Z\", \"dateReserved\": \"2026-05-06T17:18:51.783Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-11T15:37:38.013Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44488

Vulnerability from fkie_nvd - Published: 2026-06-11 17:16 - Updated: 2026-06-11 19:16

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: \u0027fetch\u0027, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0."
    }
  ],
  "id": "CVE-2026-44488",
  "lastModified": "2026-06-11T19:16:41.543",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-11T17:16:32.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-777C-7FJR-54VF

Vulnerability from github – Published: 2026-06-04 14:21 – Updated: 2026-06-04 14:21

Summary

Allocation of Resources Without Limits or Throttling in Axios

Details

Summary

Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured.

This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary.

Impact

The impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.

This does not affect axios’s default unlimited behaviour by itself: maxContentLength and maxBodyLength default to -1. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.

Server-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.

Affected Functionality

Affected functionality includes requests using the built-in fetch adapter with finite maxContentLength or maxBodyLength values.

Relevant configurations include:

adapter: 'fetch'
adapter: ['fetch', ...] when fetch is selected
environments where neither xhr nor http is available and axios falls back to fetch
custom fetch environments configured through env.fetch

Unaffected functionality includes:

Node.js default http adapter enforcement
versions before the fetch adapter was introduced
configurations that do not rely on finite axios size limits

Technical Details

In vulnerable versions, lib/adapters/fetch.js destructured request config without maxContentLength or maxBodyLength. The adapter dispatched fetch() and then materialized the response through text(), arrayBuffer(), blob(), or related resolvers without checking the configured response limit.

The fix in e5540dc added:

maxContentLength and maxBodyLength reads in lib/adapters/fetch.js
upfront data: URL decoded-size checks
outbound body-size checks before dispatch
Content-Length response pre-checks
streaming response enforcement
fallback checks for environments without ReadableStream
regression tests in tests/unit/adapters/fetch.test.js

Proof of Concept of Attack

import http from 'node:http';
import axios from 'axios';

const server = http.createServer((req, res) => {
  let received = 0;

  req.on('data', chunk => {
    received += chunk.length;
  });

  req.on('end', () => {
    res.end(JSON.stringify({ received }));
  });
});

await new Promise(resolve => server.listen(0, resolve));
const url = `http://127.0.0.1:${server.address().port}/`;

await axios.post(url, 'A'.repeat(2 * 1024 * 1024), {
  adapter: 'fetch',
  maxBodyLength: 1024
});

// Vulnerable versions succeed and the server receives 2097152 bytes.
// Fixed versions reject with ERR_BAD_REQUEST.

server.close();

Workarounds

Use the Node.js http adapter for server-side requests where finite size limits are security-relevant.

Validate or cap attacker-controlled request bodies before passing them to axios.

Reject or strictly allowlist attacker-controlled URL schemes, especially data: URLs, before calling axios.

Original Report ### Summary When Axios is used with adapter: 'fetch', configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage. ### Details maxBodyLength and maxContentLength are not applied in the fetch adapter flow: - lib/adapters/fetch.js (146-160): config destructuring does not include these controls. - lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement. - lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks. By contrast, the HTTP adapter enforces both limits. ### PoC Environment: - Axios main at commit f7a4ee2 - Node v24.2.0 Steps: 1. Start an HTTP server that counts received bytes and echoes {received}. 2. Send 2 MiB with: - adapter: 'fetch' - maxBodyLength: 1024 3. Request a 4 KiB data: URL with: - adapter: 'fetch' - maxContentLength: 16 Expected secure behavior: both requests rejected. Observed: - Upload: success, server received 2097152 - data: response: success, length 4096 ### Impact Type: DoS / resource exhaustion due to limit bypass. Impacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:21:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAxios versions `1.7.0` through `1.15.x` did not enforce configured request and response size limits when requests were sent with the `fetch` adapter. Applications that selected `adapter: \u0027fetch\u0027`, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than `maxContentLength` or `maxBodyLength` despite those limits being explicitly configured.\n\nThis can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large `data:` URL, or when an application forwards attacker-controlled request bodies through axios while relying on `maxBodyLength` as a boundary.\n\n## Impact\n\nThe impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.\n\nThis does not affect axios\u2019s default unlimited behaviour by itself: `maxContentLength` and `maxBodyLength` default to `-1`. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.\n\nServer-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.\n\n## Affected Functionality\n\nAffected functionality includes requests using the built-in `fetch` adapter with finite `maxContentLength` or `maxBodyLength` values.\n\nRelevant configurations include:\n\n- `adapter: \u0027fetch\u0027`\n- `adapter: [\u0027fetch\u0027, ...]` when `fetch` is selected\n- environments where neither `xhr` nor `http` is available and axios falls back to `fetch`\n- custom fetch environments configured through `env.fetch`\n\nUnaffected functionality includes:\n\n- Node.js default `http` adapter enforcement\n- versions before the fetch adapter was introduced\n- configurations that do not rely on finite axios size limits\n\n## Technical Details\n\nIn vulnerable versions, `lib/adapters/fetch.js` destructured request config without `maxContentLength` or `maxBodyLength`. The adapter dispatched `fetch()` and then materialized the response through `text()`, `arrayBuffer()`, `blob()`, or related resolvers without checking the configured response limit.\n\nThe fix in `e5540dc` added:\n\n- `maxContentLength` and `maxBodyLength` reads in `lib/adapters/fetch.js`\n- upfront `data:` URL decoded-size checks\n- outbound body-size checks before dispatch\n- `Content-Length` response pre-checks\n- streaming response enforcement\n- fallback checks for environments without `ReadableStream`\n- regression tests in `tests/unit/adapters/fetch.test.js`\n\n## Proof of Concept of Attack\n\n```js\nimport http from \u0027node:http\u0027;\nimport axios from \u0027axios\u0027;\n\nconst server = http.createServer((req, res) =\u003e {\n  let received = 0;\n\n  req.on(\u0027data\u0027, chunk =\u003e {\n    received += chunk.length;\n  });\n\n  req.on(\u0027end\u0027, () =\u003e {\n    res.end(JSON.stringify({ received }));\n  });\n});\n\nawait new Promise(resolve =\u003e server.listen(0, resolve));\nconst url = `http://127.0.0.1:${server.address().port}/`;\n\nawait axios.post(url, \u0027A\u0027.repeat(2 * 1024 * 1024), {\n  adapter: \u0027fetch\u0027,\n  maxBodyLength: 1024\n});\n\n// Vulnerable versions succeed and the server receives 2097152 bytes.\n// Fixed versions reject with ERR_BAD_REQUEST.\n\nserver.close();\n```\n\n## Workarounds\n\nUse the Node.js `http` adapter for server-side requests where finite size limits are security-relevant.\n\nValidate or cap attacker-controlled request bodies before passing them to axios.\n\nReject or strictly allowlist attacker-controlled URL schemes, especially `data:` URLs, before calling axios.\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Report\u003c/summary\u003e\n\n### Summary\nWhen Axios is used with adapter: \u0027fetch\u0027, configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage.\n\n### Details\nmaxBodyLength and maxContentLength are not applied in the fetch adapter flow:\n  - lib/adapters/fetch.js (146-160): config destructuring does not include these controls.\n  - lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement.\n  - lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks.\nBy contrast, the HTTP adapter enforces both limits.\n\n### PoC\n  Environment:\n  - Axios main at commit f7a4ee2\n  - Node v24.2.0\n\nSteps:\n  1. Start an HTTP server that counts received bytes and echoes {received}.\n  2. Send 2 MiB with:\n      - adapter: \u0027fetch\u0027\n      - maxBodyLength: 1024\n  3. Request a 4 KiB data: URL with:\n      - adapter: \u0027fetch\u0027\n      - maxContentLength: 16\n\nExpected secure behavior: both requests rejected.\n Observed:\n  - Upload: success, server received 2097152\n  - data: response: success, length 4096\n\n### Impact\nType: DoS / resource exhaustion due to limit bypass.\nImpacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.\n\u003c/details\u003e\n\n---",
  "id": "GHSA-777c-7fjr-54vf",
  "modified": "2026-06-04T14:21:37Z",
  "published": "2026-06-04T14:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10795"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10796"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Allocation of Resources Without Limits or Throttling in Axios"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44488 (GCVE-0-2026-44488)

FKIE_CVE-2026-44488

GHSA-777C-7FJR-54VF

Summary

Impact

Affected Functionality

Technical Details

Proof of Concept of Attack

Workarounds

Tags

Sightings

Nomenclature