CVE-2026-42039: Uncontrolled Recursion Denial of Service in Axios toFormData
Vulnerability ID: CVE-2026-42039
CVSS Score: 7.5
Published: 2026-05-05
CVE-2026-42039 is a high-severity Denial of Service (DoS) vulnerability in the Axios HTTP client library. The flaw exists in the toFormData utility due to uncontrolled recursion during object serialization, allowing attackers to crash Node.js processes via deeply nested objects.
TL;DR
Uncontrolled recursion in Axios toFormData allows attackers to cause a Denial of Service (DoS) by crashing the Node.js process with a stack overflow when parsing deeply nested JSON objects.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-674
- CVSS: 7.5
- Attack Vector: Network
- Impact: Denial of Service
- Exploit Status: PoC Available
- EPSS Score: 0.00052
Affected Systems
- Node.js backends using Axios
- Browsers executing Axios (though impact is limited to the current tab)
- APIs proxying user data via Axios
- axios: < 0.31.1
- axios: >= 1.0.0, < 1.15.1
Code Analysis
Commit: 85132ff
Main Logic Fix for maxDepth in toFormData
Commit: 250937a
Documentation Refinement
Mitigation Strategies
- Update Axios to version 1.15.1 or 0.31.1
- Implement input validation and depth limits on user-supplied JSON objects before processing them
- Use custom
formSerializerconfigurations cautiously if deep nesting is explicitly required
Remediation Steps:
- Identify all instances of Axios usage within the application, particularly in Node.js backend services.
- Update the package.json dependency for axios to >=1.15.1 or strictly 0.31.1.
- Run
npm installoryarn installto apply the update. - Verify the deployed version via
npm ls axios. - Implement middleware to reject incoming JSON payloads exceeding expected depth limits.
References
Read the full report for CVE-2026-42039 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)