CVE-2026-42037 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42037	MEDIUM	axios	1.15.0	1.15.1	2026-04-24T18:16:30.543Z	2026-05-08T10:18:20.600877578Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a

---

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) sequences. An attacker who controls the .type property of a Blob/File-like object (e.g., via a user-uploaded file in a Node.js proxy service) can inject arbitrary MIME part headers into the multipart form-data body. This bypasses Node.js v18+ built-in header protections because the injection targets the multipart body structure, not HTTP request headers. This vulnerability is fixed in 1.15.1.

---

Remediation Steps

• Update the affected package axios from version 1.15.0 to 1.15.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as closed. 🤖