Bug 2461636 (CVE-2026-42037)

Summary: CVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, bbrownin, bdettelb, brasmith, caswilli, cdrage, chfoley, cmah, cmyers, cochase, dbosanac, dfreiber, dhanak, dkuc, dmayorov, dnakabaa, doconnor, dranck, drosa, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gparvin, ibek, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jraez, jreimann, jrokos, juwatts, jwong, kaycoth, kshier, ktsao, lball, lchilton, lcouzens, lphiri, mdessi, mhulan, mnovotny, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, psrna, rchan, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sausingh, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return and line feed (CRLF) sequences in the Content-Type header. This could lead to information disclosure by allowing the attacker to manipulate the structure of the multipart body.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-24 19:02:47 UTC 
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.