High severityNVD Advisory· Published May 7, 2019· Updated Aug 4, 2024

CVE-2019-10742

Description

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
axiosnpm	< 0.18.1	0.18.1

Affected products

Axios/Axiosv5
Range: through 0.18.0

Patches

acabfbdf00a5

Destroy stream on exceeding maxContentLength (fixes #1098) (#1485)

https://github.com/axios/axiosGadzhi GadzhievMay 7, 2019via ghsa

commit

1 file changed · +1 −0

lib/adapters/http.js+1 −0 modified

@@ -181,6 +181,7 @@ module.exports = function httpAdapter(config) {
 
           // make sure the content length is not over the maxContentLength if specified
           if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
+            stream.destroy();
             reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
               config, null, lastRequest));
           }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-42xw-2xvc-qx8mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10742ghsaADVISORY
app.snyk.io/vuln/SNYK-JS-AXIOS-174505ghsax_refsource_MISCWEB
github.com/axios/axios/commit/acabfbdf00a58bb866c9d070e8a10d1d0dbeb572ghsaWEB
github.com/axios/axios/issues/1098ghsax_refsource_MISCWEB
github.com/axios/axios/pull/1485ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-AXIOS-174505ghsaWEB
www.npmjs.com/advisories/880ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.010
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000