CVE-2026-42037 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: April 27, 2026
Axios - HTTP Header Injection
Published: April 24, 2026Updated: April 27, 2026PoC AvailableRemote Exploitable
Overview
Axios 1.0.0 to < 1.15.1 contains a HTTP header injection caused by unsanitized CRLF sequences in FormDataPart constructor's value.type, letting attackers inject arbitrary MIME part headers, exploit requires control of Blob/File-like object's type property.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Attackers can inject arbitrary MIME headers in multipart form-data, potentially bypassing built-in header protections and manipulating request bodies.
Mitigation
Upgrade to version 1.15.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42037
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- undefined
- Status
- confirmed
CWE
- CWE-93
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N