Date: 2026-06-16 Target: axios 1.18.0 (patched CVE-2026-42037, formDataToStream blob.type CRLF) Verdict: WALK CLEAN.
Two libraries, identical bug-class (multipart part-header CRLF injection), opposite fix completeness:
- form-data npm 4.0.6 (cycle241): fix escaped field-name + filename ONLY (WHATWG-faithful) -> MISSED
contentType in the same sink -> INCOMPLETE (my confirmed finding).
- axios 1.18.0 (this cycle): FormDataPart constructor escapes name (escapeName), filename (escapeName,
regex /[\r\n"]/ -> %0D/%0A/%22) AND strips CRLF from value.type (.replace(/[\r\n]/g,'')). All 3 injectable
fields covered; only 2 part-headers exist, no custom-header option -> set-difference EMPTY -> WALK.
Same CVE class, same week, same ecosystem - but axios SWEPT (fixed the reported field + the siblings), form-data
POINT-FIXED (reported fields only). Reinforces cycle245/246: completeness is a per-MAINTAINER property, not a
per-bug-class one. You cannot predict completeness from the bug class; you must read each fix's scope.
Empirical harness hit axios's instanceof FormData guard + real-Blob .type normalization would obscure the
type test, so this WALK rests on white-box source (3 explicit sanitizers, 2 headers, no custom-header sink) -
appropriate for confirming sanitization PRESENCE. A CONFIRMED VULN claim would require clearing that harness
friction (build a real FormData+Blob, or drive FormDataPart directly) - do not assert a finding on static read
alone, but a walk on "sanitizer demonstrably present in source" is sound.
POINT-FIXERS (mine siblings): PyJWT (2/5 incomplete), form-data npm (contentType missed). SWEEPERS (one check, walk): Symfony bridges, undici, axios. Tell: does the fix join/extend a SYSTEMATIC validation layer (sweeper) or patch one spot (point-fixer)? Read scope.