Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.
| Vendor | Product | Versions |
|---|---|---|
| axios | axios | npm/axios: >= 1.0.0, < 1.15.1, npm/axios: <= 0.31.0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| ibm | app connect enterprise | cert_advisory | 90% |
| npm | axios | GHSA | 85% |
Updated severity from MEDIUM to HIGH and marked the vulnerability as actively exploited.
Initial creation
