CVE-2026-42039

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Affected Software

VendorProductVersion RangeStatus
axiosaxios>= 1.0.0, < 1.15.1affected
axiosaxios< 0.31.1affected

Weaknesses

  • CWE-674: CWE-674: Uncontrolled Recursion

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data

Additional References

References