VulWall Team March 31, 2026 4 min read

Outdated HTTP Library Can Be Used to Crash Your Application

Your application uses an outdated version of Axios, a popular tool for making web requests. A known flaw in this version means that a malicious server — or an unexpectedly large response — can keep sending data even after your app has told it to stop, eventually overwhelming your server and causing it to crash or become unresponsive. The fix is a straightforward library upgrade.

OWASP A06 Effort: trivial Exploitable
dos denial-of-service axios nodejs cve stream dependency npm

Business Impact And Actions

medium urgency

Business Impact

If exploited, this could make your application unavailable to customers — causing downtime, lost revenue, and a poor user experience. While this doesn't expose customer data, repeated or targeted crashes could affect your service reliability and, depending on your industry, may be flagged during security compliance reviews.

What To Do

  1. Ask your developer to upgrade the Axios library to version 0.18.1 or higher — this is a well-tested fix and typically takes under an hour.
  2. After the upgrade, ask your developer to run your existing test suite to confirm nothing is broken.
  3. If an immediate upgrade isn't possible, ask your developer to apply the temporary workaround of manually destroying the response stream when a content-length error is caught.
  4. Schedule a regular dependency review (e.g. monthly) so outdated libraries like this are caught earlier in future.

Axios ≤ 0.18.0 Denial of Service via Unbounded Stream After maxContentLength Exceeded (CVE-2019-10742)

high severity CVSS 7.5

Vulnerability Explanation

In Axios versions up to and including 0.18.0, when a response body exceeds the configured `maxContentLength` limit, the library correctly rejects the promise with an error — but critically fails to destroy the underlying Node.js HTTP stream. The stream continues to receive and buffer data, consuming CPU and memory until the process is overwhelmed or crashes. This is a classic improper stream lifecycle management bug: the error path handles the application-level promise but neglects the transport-level resource.

Root Cause

The HTTP adapter's `data` event handler checked accumulated buffer length against `maxContentLength` and triggered a promise rejection, but did not call `stream.destroy()` on the response stream. The fix in commit `acabfbdf` adds a single `stream.destroy()` call at the point of rejection, halting further data ingestion.

Technical Impact

An attacker controlling a server that your application makes HTTP requests to (e.g., a third-party API, a webhook target, or a user-supplied URL) can serve an oversized response body to cause sustained high CPU/memory usage and ultimately crash the Node.js process. This results in application downtime (Denial of Service). No data confidentiality or integrity impact.

Severity Justification

CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H — network-exploitable with no authentication or user interaction required, full availability impact. Exploitability is conditional on the application making HTTP requests to attacker-influenced endpoints.

Affected Components

  • axios < 0.18.1

Remediation Steps

  1. Upgrade axios to version 0.18.1 or later: run `npm install axios@latest` (or pin to a specific safe version in package.json).
  2. Run `npm audit` after upgrading to confirm no remaining advisories for axios.
  3. If an immediate upgrade is blocked (e.g., due to breaking changes in a newer major version), apply the temporary workaround: catch the maxContentLength error and manually destroy the stream — see code example below.
  4. Review any axios calls that use `maxContentLength` to ensure the option is explicitly set, limiting exposure to unexpectedly large responses.

Verification Steps

  1. Run `npm list axios` and confirm the installed version is 0.18.1 or higher.
  2. Run `npm audit` and verify CVE-2019-10742 / GHSA-42xw-2xvc-qx8m no longer appears in the output.
  3. If you have integration tests covering HTTP client behaviour, run them to confirm no regressions.

Code Examples (javascript)

Vulnerable
// axios <= 0.18.0: stream is NOT destroyed on maxContentLength error
axios.get('https://example.com/large-file', {
  maxContentLength: 2000
}).catch(err => {
  // Promise is rejected, but the underlying stream keeps receiving data
  console.error(err.message);
});
Fixed
// Option 1 (preferred): Upgrade to axios >= 0.18.1
// The library now calls stream.destroy() automatically — no code change needed.

// Option 2 (temporary workaround for older versions):
axios.get('https://example.com/large-file', {
  maxContentLength: 2000
}).catch(err => {
  // Manually destroy the stream to stop further data ingestion
  if (err.request && err.request.res) {
    err.request.res.destroy();
  }
  console.error(err.message);
});

Best Practices

  • Always set `maxContentLength` (and `maxBodyLength` for request bodies) explicitly in axios calls that handle untrusted or third-party responses.
  • Pin dependencies to known-good versions in package.json and use a lock file (package-lock.json or yarn.lock) to prevent silent upgrades.
  • Integrate `npm audit` or a tool like Snyk into your CI/CD pipeline to catch known vulnerabilities in dependencies before they reach production.
  • When making HTTP requests to user-supplied or third-party URLs, apply timeouts (`timeout` option) in addition to content-length limits to bound resource consumption.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base