Bug 2461616 (CVE-2026-42040)

Summary: CVE-2026-42040 axios: Axios: Incorrect null byte handling can lead to data integrity issues
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anthomas, ataylor, bbrownin, bdettelb, brasmith, caswilli, cdrage, chfoley, cmah, cmyers, cochase, dbosanac, dbruscin, dfreiber, dhanak, dkeler, dkuc, dmayorov, dnakabaa, doconnor, dranck, drosa, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibek, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, jreimann, jrokos, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, mcarlett, mdessi, mhess, mhulan, mnovotny, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, prwatson, psrna, rchan, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sausingh, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, suppawar, swoodman, tasato, tcunning, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, vle, vwilson, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, a software component used for making web requests. This vulnerability allows for the incorrect handling of null bytes, where a safely encoded null byte (%00) is converted back to its raw form (\x00). While the standard use of Axios is not affected, this could lead to unexpected data processing or integrity issues in certain specialized applications. The overall impact of this flaw is considered limited.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2491651, 2491652, 2491653, 2491657, 2491658, 2491659, 2491660, 2491661, 2491654, 2491655, 2491656, 2491662, 2491682    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-24 18:02:20 UTC
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.