CVE-2026-42039 PUBLISHED

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Assigner: GitHub_M
Reserved: 23.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor axios
Product axios
Versions
  • Version >= 1.0.0, < 1.15.1 is affected
  • Version < 0.31.1 is affected

References

Problem Types

  • CWE-674: Uncontrolled Recursion CWE