PatchSiren cyber security CVE debrief
CVE-2026-44488 axios CVE debrief
A vulnerability was found in Axios, a promise-based HTTP client for the browser and Node.js. The issue affects versions 1.7.0 through 1.15.x, where Axios did not enforce configured request and response size limits when requests were sent with the fetch adapter. This can lead to resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, or when an attacker can supply a large data: URL.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Developers and administrators using Axios in their applications, especially those that use the fetch adapter or run in environments where axios resolves to the fetch adapter.
Technical summary
Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured.
Defensive priority
HIGH
Recommended defensive actions
- Update Axios to version 0.32.0 or 1.16.0 to fix the vulnerability.
- Review and adjust configured request and response size limits in your application.
Evidence notes
The vulnerability is fixed in Axios versions 0.32.0 and 1.16.0.
Official resources
-
CVE-2026-44488 CVE record
CVE.org
-
CVE-2026-44488 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
CVE-2026-44488 was published on [cvePublishedAt].