CVE-2026-42034 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42034	MEDIUM	axios	1.15.0	1.15.1, 0.31.1	2026-04-24T18:16:30.14Z	2026-05-07T10:18:28.129573309Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a

---

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits. This vulnerability is fixed in 1.15.1 and 0.31.1.

---

Remediation Steps

• Update the affected package axios from version 1.15.0 to 1.15.1, 0.31.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as closed. 🤖