CVE-2026-42034: maxBodyLength Bypass in Axios Node.js Stream Transport Vulnerability ID: CVE-2026-42034 CVSS Score: 5.3 Published: 2026-05-05 Axios versions prior to 1.15.1 and 0.31.1 contain a flaw in the Node.js HTTP adapter where the maxBodyLength configuration is bypassed. This occurs exclusively when using a stream for the request body and explicitly setting maxRedirects to 0. The bypass leads to the uninhibited transmission of oversized streams, causing potential endpoint denial-of-service via resource exhaustion. TL;DR A flaw in the Axios Node.js adapter bypasses the maxBodyLength limit when streaming uploads with maxRedirects set to 0, allowing unbounded data transmission.…