Bug 2487949 (CVE-2026-44488) - CVE-2026-44488 axios: Axios: Denial of Service due to unenforced request and response size limits
Summary: CVE-2026-44488 axios: Axios: Denial of Service due to unenforced request and ...
Keywords:
Status: NEW
Alias: CVE-2026-44488
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2488144 2488145 2488146 2488147 2488148 2488149 2488150 2488151 2488152 2488153 2488154 2488155 2488156
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-11 17:01 UTC by OSIDB Bzimport
Modified: 2026-06-11 23:55 UTC (History)
120 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-11 17:01:59 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Note You need to log in before you can comment on or make changes to this bug.