HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44488Published Modified CNA GitHub_M

CVE-2026-44488: Axios: Allocation of Resources Without Limits or Throttling in axios

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An allocation-without-limits vulnerability in Axios (the Node.js and browser HTTP client) allows configured size limits to be silently bypassed when the fetch adapter is in use. The flaw is reachable over the network with no authentication required, meaning any remote party that can influence response bodies or request payloads can trigger it. Successful exploitation causes resource exhaustion on the affected Node.js server, resulting in service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are published to supported registries.

HarborGuard Coverage

Detection

Detection for CVE-2026-44488 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Node.js images that bundle an affected Axios release. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and surfacing it alongside per-environment compliance policy weighting, so that teams with strict availability SLOs see it prioritized accordingly. Triage routing is available to direct findings to the correct team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the upstream patch lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network; either by acting as a malicious remote server returning an oversized response, or by supplying attacker-controlled data to an application that uses Axios to forward requests.

  • AuthenticationNot required

    No credentials or session token are needed; the bypass is triggered purely by the size and content of network-delivered payloads.

  • Victim interactionNot required

    No user action is required; the vulnerable code path executes server-side whenever Axios makes an outbound request through the fetch adapter.

  • Attack complexityDetail

    Exploit reliability is high and condition-free; no race conditions, memory layout knowledge, or environmental tuning are needed to trigger the size-limit bypass.

Blast Radius

  • An attacker controlling a remote server can return an arbitrarily large response body, exhausting heap memory or open file descriptors on the Node.js process.
  • An attacker who can supply a large data: URL causes Axios to process it without enforcing maxContentLength, consuming CPU and memory until the process stalls or crashes.
  • An application that forwards attacker-controlled request bodies through Axios while relying on maxBodyLength as a safety boundary will transmit oversized payloads, potentially overwhelming downstream services as well.
  • In all cases the direct outcome is denial of service against the server-side process running the affected Axios version; confidentiality and data integrity are not directly affected.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active, with the ingest pipeline re-evaluating fix availability on every cycle. Because no upstream fix version has been confirmed at time of publication, no patched rebuild is available yet. In the interim, customers can apply compensating controls through HarborGuard policy configuration: network-policy isolation rules that restrict which external hosts affected services may call, egress filtering to block unexpected or oversized response sources, and feature-flag or build-arg gating to force axios to the http or https adapter rather than the fetch adapter in Node.js environments. When a confirmed fix is published upstream, a patched-image rebuild will become available immediately; for customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically without manual steps.

See how HarborGuard automates this
Affected packages
  • axios / axios
    >= 1.7.0, < 1.16.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References