Skip to content

fix: stream response bypassed max content length#10754

Merged
jasonsaayman merged 3 commits intov1.xfrom
fix/ghsa-vf2m-468p-8v99
Apr 18, 2026
Merged

fix: stream response bypassed max content length#10754
jasonsaayman merged 3 commits intov1.xfrom
fix/ghsa-vf2m-468p-8v99

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 18, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Fixes a limits bypass in the Node HTTP adapter by enforcing maxContentLength for streamed responses and maxBodyLength for streamed uploads when maxRedirects: 0. Prevents oversized payloads from being fully read or sent, addressing GHSA-vf2m-468p-8v99 and GHSA-5c9x-8gcm-mpgx.

Description

  • Enforce maxContentLength for responseType: 'stream' by wrapping the response stream; throw AxiosError when the limit is exceeded.
  • Enforce maxBodyLength for streamed uploads on native http/https when maxRedirects === 0 using a counting transform; fail early and destroy the request.
  • Keep existing follow-redirects behavior otherwise; both paths now consistently enforce limits.

Docs

  • maxContentLength now applies to streamed responses.
  • maxBodyLength is enforced for streamed uploads when maxRedirects: 0 (native transport); other cases remain enforced by follow-redirects.
  • Clients receive an error once limits are exceeded; streams stop early.

Testing

  • Added four unit tests covering over/under limit for streamed responses and for streamed uploads with maxRedirects: 0.
  • No additional tests needed.

Written for commit 34ea6dd. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 18, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Apr 18, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman merged commit e8904af into v1.x Apr 18, 2026
25 checks passed
@jasonsaayman jasonsaayman deleted the fix/ghsa-vf2m-468p-8v99 branch April 18, 2026 15:41
@github-actions github-actions Bot mentioned this pull request Apr 18, 2026
Open
@stage88 stage88 mentioned this pull request Apr 21, 2026
Closed
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman