CVE-2026-42040: CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios

1 / 2

CVE-2026-42040: CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios

DEV Community·CVE Reports·28 days ago

#aVXBl1i9

#security #cve #cybersecurity #software #axios #null

Reading 0:00

15s threshold

CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios Vulnerability ID: CVE-2026-42040 CVSS Score: 3.7 Published: 2026-05-05 Axios versions prior to 0.31.1 and 1.x versions prior to 1.15.1 contain a Null Byte Injection vulnerability (CWE-626) in the AxiosURLSearchParams module. A logic defect in the internal parameter encoder incorrectly reverts safely encoded null bytes (%00) back into raw null byte characters. This flaw can facilitate path truncation attacks or security filter bypasses when interacting with vulnerable downstream systems. TL;DR A logic flaw in Axios's URL parameter serializer reverts safely encoded null bytes (%00) back to raw null characters. This requires a specific non-default configuration to trigger but can lead to downstream parsing errors or WAF bypasses.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42040: CVE-2026-42040: Null Byte Injection via Improper Parameter Serialization in Axios