CVE-2026-42037: CVE-2026-42037: CRLF Injection in Axios Multipart Form Data Generation

1 / 2

CVE-2026-42037: CVE-2026-42037: CRLF Injection in Axios Multipart Form Data Generation

DEV Community·CVE Reports·28 days ago

#lzeK4IHF

#security #cve #cybersecurity #software #axios #file

Reading 0:00

15s threshold

CVE-2026-42037: CRLF Injection in Axios Multipart Form Data Generation Vulnerability ID: CVE-2026-42037 CVSS Score: 5.3 Published: 2026-05-05 A CRLF injection vulnerability exists in Axios versions 1.0.0 through 1.15.0 when operating in a Node.js environment. The flaw allows attackers to inject arbitrary headers into multipart/form-data payloads due to improper sanitization of the file type property, bypassing native Node.js HTTP header protections. TL;DR Axios < 1.15.1 is vulnerable to CRLF injection within multipart/form-data bodies. Attackers controlling the MIME type of uploaded files can inject malicious headers or manipulate the body payload. Upgrading to 1.15.1 resolves the issue.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42037: CVE-2026-42037: CRLF Injection in Axios Multipart Form Data Generation