CVE-2026-42034 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /day59/package.json
Path to vulnerable library: /day59/package.json,/day60/package.json
Dependency Hierarchy:
- browser-sync-2.26.13.tgz (Root Library)
- localtunnel-2.0.0.tgz
- ❌ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.
Publish Date: 2026-04-24
URL: CVE-2026-42034
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5c9x-8gcm-mpgx
Release Date: 2026-04-24
Fix Resolution (axios): 1.15.1
Direct dependency fix Resolution (browser-sync): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-42034 - Medium Severity Vulnerability
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /day59/package.json
Path to vulnerable library: /day59/package.json,/day60/package.json
Dependency Hierarchy:
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.
Publish Date: 2026-04-24
URL: CVE-2026-42034
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-5c9x-8gcm-mpgx
Release Date: 2026-04-24
Fix Resolution (axios): 1.15.1
Direct dependency fix Resolution (browser-sync): 3.0.0
Step up your Open Source Security Game with Mend here