Search for vulnerabilities
| Vulnerability ID | VCID-e86t-8z3n-sqgd |
| Aliases |
CVE-2026-42037
|
| Summary | Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 0.0 |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| There are no known CWE. |
| System | Score | Found at |
|---|---|---|
| There are no known severity scores. | ||
| Reference id | Reference type | URL |
|---|---|---|
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42037 | ||
| 1134878 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-25T23:21:55.234559+00:00 | Debian Importer | Import | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |