CVE-2026-42036: maxContentLength Bypass and Resource Exhaustion in Axios Vulnerability ID: CVE-2026-42036 CVSS Score: 5.3 Published: 2026-05-05 A resource exhaustion vulnerability exists in the Axios Node.js HTTP client where the maxContentLength configuration is not enforced for stream responses, potentially causing Denial of Service. TL;DR Axios fails to enforce response size limits on streams, allowing an attacker to supply infinite data streams that bypass configured boundaries and cause local resource exhaustion. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-770 Attack Vector : Network CVSS Score : 5.3 EPSS Score : 0.00051 Impact : Denial of Service Exploit Status : PoC CISA KEV : False Affected Systems Node.js Applications using Axios Services utilizing Axios for streaming external resources axios : < 0.31.1 (Fixed in: 0.31.1 ) axios : >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1 ) Code Analysis Commit: 770f5ef Bump follow-redirects to enforce maxBodyLength on streams Exploit Details Research…