Bug 2461616 (CVE-2026-42040) - CVE-2026-42040 axios: Axios: Incorrect null byte handling can lead to data integrity issues
Summary: CVE-2026-42040 axios: Axios: Incorrect null byte handling can lead to data in...
Keywords:
Status: NEW
Alias: CVE-2026-42040
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2491651 2491652 2491653 2491657 2491658 2491659 2491660 2491661 2491654 2491655 2491656 2491662 2491682
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 18:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 11:49 UTC (History)
131 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 18:02:20 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.
Note You need to log in before you can comment on or make changes to this bug.