Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42040

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-24 Apr, 2026 | 17:40
Updated At-27 Apr, 2026 | 13:48
Rejected At-
Credits

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:24 Apr, 2026 | 17:40
Updated At:27 Apr, 2026 | 13:48
Rejected At:
▼CVE Numbering Authority (CNA)
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

Affected Products
Vendor
axios
Product
axios
Versions
Affected
  • >= 1.0.0, < 1.15.1
  • < 0.31.1
Problem Types
TypeCWE IDDescription
CWECWE-116CWE-116: Improper Encoding or Escaping of Output
CWECWE-626CWE-626: Null Byte Interaction Error (Poison Null Byte)
Type: CWE
CWE ID: CWE-116
Description: CWE-116: Improper Encoding or Escaping of Output
Type: CWE
CWE ID: CWE-626
Description: CWE-626: Null Byte Interaction Error (Poison Null Byte)
Metrics
VersionBase scoreBase severityVector
3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
x_refsource_CONFIRM
Hyperlink: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
exploit
Hyperlink: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:24 Apr, 2026 | 18:16
Updated At:27 Apr, 2026 | 20:09

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
axios
axios
>>axios>>Versions before 0.31.1(exclusive)
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
axios
axios
>>axios>>Versions from 1.0.0(inclusive) to 1.15.1(exclusive)
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-116Secondarysecurity-advisories@github.com
CWE-626Secondarysecurity-advisories@github.com
CWE ID: CWE-116
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-626
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jwsecurity-advisories@github.com
Exploit
Mitigation
Vendor Advisory
https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2026-44489
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-3.7||LOW
EPSS-Not Assigned
Published-11 Jun, 2026 | 15:30
Updated-11 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

Action-Not Available
Vendor-axios
Product-axios
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2024-42332
Matching Score-4
Assigner-Zabbix
ShareView Details
Matching Score-4
Assigner-Zabbix
CVSS Score-3.7||LOW
EPSS-0.91% / 76.19%
||
7 Day CHG+0.06%
Published-27 Nov, 2024 | 12:06
Updated-03 Nov, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
New line injection in Zabbix SNMP traps

The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.

Action-Not Available
Vendor-ZABBIX
Product-zabbixZabbix
CWE ID-CWE-116
Improper Encoding or Escaping of Output
Details not found