Axios Security Alert: CRLF Injection Vulnerability Patched in v1.15.2 (CVE-2026-42037)

A security vulnerability in axios, one of the JavaScript ecosystem's most widely deployed HTTP clients, has prompted an urgent patch release. The flaw, tracked as CVE-2026-42037 and disclosed under GitHub Security Advisory GHSA-445q-vr5w-6q77, enables CRLF injection attacks through the library's multipart/form-data processing. The vulnerability resides in the formDataToStream helper, where the FormDataPart constructor interpolates blob.type values directly into Content-Type headers without sanitization—creating a vector for HTTP header manipulation.

The technical issue centers on how axios handles Blob objects in multipart form submissions. Within formDataToStream.js, the value.type property is interpolated directly into the outgoing HTTP header stream. An attacker who can control Blob content or type metadata could inject carriage return and line feed characters, potentially altering request headers or injecting arbitrary data into the request body. This class of vulnerability opens pathways for request smuggling, header injection attacks, and potential downstream exploitation depending on how server-side systems parse the manipulated requests.

Organizations running axios 1.15.0 or earlier should treat this as a priority update. The patched version 1.15.2 closes the sanitization gap. Applications handling file uploads, multipart form data, or user-supplied Blob objects face the most direct exposure. Automated dependency management tools such as Renovate are already flagging this as a security-priority update across affected repositories. Security teams evaluating supply chain risk can reference the OpenSSF Scorecard integration on the axios repository for additional context on the project's security posture.