CVE-2026-42040

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Assigner: GitHub_M
Reserved: 23.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	axios
Product	axios
Versions	Version >= 1.0.0, < 1.15.1 is affected Version < 0.31.1 is affected

Vendor

axios

Product

axios

Versions

Version >= 1.0.0, < 1.15.1 is affected
Version < 0.31.1 is affected

References

Problem Types

CWE-116: Improper Encoding or Escaping of Output CWE
CWE-626: Null Byte Interaction Error (Poison Null Byte) CWE

CVE-2026-42040 PUBLISHED

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Metrics

Product Status

References

Problem Types