CVE-2026-44488
Received Received - Intake
Axios Fetch Adapter Request Size Limit Bypass

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-44488
EUVD
EUVD-2026-36261
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
axios axios From 1.7.0 (inc) to 1.15.x (inc)
axios axios 0.32.0
axios axios 1.16.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44488 is a vulnerability in the Axios library affecting versions 1.7.0 through 1.15.x when using the fetch adapter. In these versions, the configured request and response size limits (such as maxContentLength and maxBodyLength) are not enforced. This means that applications can send or receive data bodies larger than the specified limits, which the fetch adapter ignores.

This happens because the fetch adapter does not check size limits during request dispatch or response processing. As a result, oversized uploads or downloads can occur despite explicit configuration to restrict data size.

Impact Analysis

The vulnerability can lead to resource exhaustion, such as excessive memory, CPU, or network usage, especially in server-side environments where Axios is used. This happens when a malicious or compromised server returns an oversized response, or when an attacker supplies large request bodies that bypass the configured size limits.

Such resource exhaustion can degrade application performance, cause crashes, or lead to denial of service, impacting availability.

Detection Guidance

This vulnerability can be detected by identifying if your application is using Axios versions 1.7.0 through 1.15.x with the fetch adapter, which does not enforce request and response size limits.

To detect usage of vulnerable Axios versions, you can check your project's dependencies with commands like:

  • npm list axios
  • yarn list axios

Additionally, to detect oversized requests or responses that bypass size limits, you can monitor network traffic or logs for unusually large HTTP bodies, especially if the fetch adapter is used.

Since the fetch adapter ignores maxContentLength and maxBodyLength, you can also audit your codebase for usage of Axios with the fetch adapter and check if size limits are configured but not enforced.

Mitigation Strategies

Immediate mitigation steps include upgrading Axios to version 1.16.0 or later, or 0.32.0 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, you can work around the issue by:

  • Using the Node.js HTTP adapter instead of the fetch adapter.
  • Validating and limiting request body sizes before passing them to Axios.

These steps help prevent resource exhaustion caused by oversized request or response bodies.

Compliance Impact

The vulnerability in Axios allows oversized request and response bodies to bypass configured size limits, potentially causing resource exhaustion on server-side environments.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, resource exhaustion could indirectly impact availability and reliability of services that handle sensitive data.

Disruptions caused by resource exhaustion might affect the ability to maintain continuous service or protect data integrity, which are important aspects of compliance frameworks.

However, there is no direct information linking this vulnerability to violations of data protection or privacy regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart