{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42040", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-23T16:05:01.709Z", "datePublished": "2026-04-24T17:40:31.125Z", "dateUpdated": "2026-04-27T13:48:06.659Z"}, "containers": {"cna": {"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-626", "lang": "en", "description": "CWE-626: Null Byte Interaction Error (Poison Null Byte)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw"}], "affected": [{"vendor": "axios", "product": "axios", "versions": [{"version": ">= 1.0.0, < 1.15.1", "status": "affected"}, {"version": "< 0.31.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:40:31.125Z"}, "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1."}], "source": {"advisory": "GHSA-xhjh-pmcv-23jw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:48:02.943460Z", "id": "CVE-2026-42040", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:48:06.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42040", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:48:02.943460Z"}}}], "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:47:53.257Z"}}], "cna": {"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams", "source": {"advisory": "GHSA-xhjh-pmcv-23jw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "axios", "product": "axios", "versions": [{"status": "affected", "version": ">= 1.0.0, < 1.15.1"}, {"status": "affected", "version": "< 0.31.1"}]}], "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw", "name": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-626", "description": "CWE-626: Null Byte Interaction Error (Poison Null Byte)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:40:31.125Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42040", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:48:06.659Z", "dateReserved": "2026-04-23T16:05:01.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T17:40:31.125Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7D2B28C9-026E-4CD6-BD17-7EDD42108106", "versionEndExcluding": "0.31.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3EC1EF30-EBB8-410B-90FB-1F18A3545C2E", "versionEndExcluding": "1.15.1", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1."}], "id": "CVE-2026-42040", "lastModified": "2026-04-27T20:09:07.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T18:16:30.960", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-626"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.31.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "axios", "source": "cna", "vendor": "axios"}, "product": "axios", "vendor": "axios"}], "analysis": {"en": {"generated_at": "2026-04-28T13:38:39.105064+00:00", "value": {"mitigation_remediation": ["Upgrade Axios to version 1.15.1 or later, or to 0.31.1 or later, to remove the reverse mapping flaw.", "Avoid using AxiosURLSearchParams.encode() directly; sanitize input data to ensure no raw null bytes are passed to the encoder.", "Review any third\u2011party libraries or custom code that constructs URLs via AxiosURLSearchParams in order to detect and eliminate any raw null byte injection points."], "summary": {"action": "Upgrade", "impact": "Data Integrity via Null Byte Injection"}, "threat_synthesis": {"affected_systems": "Axios releases before 1.15.1 and 0.31.1 are affected. The issue exists in the Axios library for both browser and Node.js environments. Any deployment that uses Axios directly or through a dependency graph that pulls in the vulnerable version is impacted.", "description_and_impact": "The Axios HTTP client contains a flaw in the encode() function used for URL query string generation. The function contains a mapping that intentionally reverses percent\u2011encoded null bytes, turning the safe %00 sequence back into a raw null byte. This allows an attacker to inject a null byte into data that is passed through the encoder, potentially corrupting downstream string handling or truncating values at null boundaries. While the vulnerability does not affect the standard request flow of Axios, it could be exploited in custom usage patterns or by libraries that reuse the encoder without full control.", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity. The EPSS score is below 1%, indicating a low probability of active exploitation, and Axios is not listed in CISA KEV catalog. The likely attack vector is via crafted URLs or direct usage of the encode() function to inject a raw null byte. Because the injection could cause data truncation or corruption, the impact is primarily data integrity rather than confidentiality or availability."}}}}, "created": "2026-04-27T21:45:14.289258+00:00", "updated": "2026-04-28T13:45:06.138768+00:00", "vendors": ["axios", "axios$PRODUCT$axios"]}