fix(node): enforce maxContentLength for data: URLs#7011
Merged
jasonsaayman merged 3 commits intoaxios:v1.xfrom Sep 10, 2025
AmeerAssadi:advisory-fix-1
Merged
fix(node): enforce maxContentLength for data: URLs#7011jasonsaayman merged 3 commits intoaxios:v1.xfrom AmeerAssadi:advisory-fix-1
jasonsaayman merged 3 commits intoaxios:v1.xfrom
AmeerAssadi:advisory-fix-1
Conversation
Contributor
Author
|
@jasonsaayman plz approve! |
AmeerAssadi
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses a security vulnerability by enforcing maxContentLength limits on data: URLs to prevent denial-of-service attacks through out-of-memory conditions.
- Adds pre-decode size estimation for
data:URLs to check againstmaxContentLengthbefore decoding - Implements efficient size calculation for both base64 and non-base64 encoded data without large memory allocations
- Maintains backward compatibility by only enforcing limits when
maxContentLengthis explicitly set to a finite non-negative value
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
jasonsaayman
reviewed
Sep 9, 2025
… condition in base64 padding check
DigitalBrainJS
requested changes
Sep 9, 2025
Collaborator
DigitalBrainJS
left a comment
DigitalBrainJS
left a comment
There was a problem hiding this comment.
Thank you for your contribution. 👍 Although the code looks like it works, it would be nice to add at least one unit test for the utility.
Contributor
Author
|
@DigitalBrainJS , thanks for the review, I have implemented the changes. |
Contributor
|
Hi, @AmeerAssadi! This PR has been published in v1.12.0 release. Thank you for your contribution ❤️! |
1 task
This was referenced Jan 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix (Node): apply
maxContentLengthtodata:URLs with pre-decode size checkdata:payloads were fully decoded in memory and ignoredmaxContentLength> possible OOM/DoS.maxContentLengthis a finite non-negative value, Axios estimates the decoded size and rejects early when it exceeds the cap.maxContentLength: -1means unlimited).%3D) and non-base64 (UTF-8 byteLength upper bound).Security: mitigates DoS.
See GHSA: GHSA-4hjh-wcwx-xvwj • CVE-2025-58754.