CVE-2026-42040

Published: Apr 24, 2026

Modified: Apr 27, 2026

PUBLISHED

CVSS v3.1

3.7

LOW

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

Vendor	Product	Versions
axios	axios	affected `>= 1.0.0, < 1.15.1` affected `< 0.31.1`

Weaknesses (CWE)

CWE-116

CWE-626

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42040

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References