Axios size limit bypass in fetch adapter 1.7.0-1.15.x
CVE-2026-44488 Published on June 11, 2026
Axios: Allocation of Resources Without Limits or Throttling in axios
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Vulnerability Analysis
CVE-2026-44488 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-44488
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-44488 are published in these products:
Affected Versions
axios:- Version >= 1.7.0, < 1.16.0 is affected.
- Version 0:2.6.10-1.el9ap and below * is unaffected.
- Version 1782157085 and below * is unaffected.
- Version 1783348181 and below * is unaffected.
- Version 1782157514 and below * is unaffected.
- Version 1783451729 and below * is unaffected.
- Version 1779293013 and below * is unaffected.
- Version 1779371594 and below * is unaffected.
- Version 1782761510 and below * is unaffected.
- Version 1783448184 and below * is unaffected.
- Version 1781187342 and below * is unaffected.
- Version 1782761244 and below * is unaffected.
- Version 1782166952 and below * is unaffected.
- Version 1782127091 and below * is unaffected.
- Version 1782244020 and below * is unaffected.
- Version 1781695012 and below * is unaffected.
- Version 1781731914 and below * is unaffected.
- Version 1782498475 and below * is unaffected.
- Version 1782498792 and below * is unaffected.
- Version 1781937133 and below * is unaffected.
- Version 1782287580 and below * is unaffected.
- Version 1782201894 and below * is unaffected.
- Version 1782201833 and below * is unaffected.
- Version 1782201696 and below * is unaffected.
- Version 1782201537 and below * is unaffected.
- Version 1782201851 and below * is unaffected.
- Version 1782201812 and below * is unaffected.
- Version 1782231869 and below * is unaffected.
- Version 1782201466 and below * is unaffected.
- Version 1781174698 and below * is unaffected.
- Version 1782253070 and below * is unaffected.
- Version 1782243376 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.