CVE-2026-42039

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

INFO

Published Date :

2026-04-24T18:01:30.775Z

Last Modified :

2026-04-24T18:14:37.802Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-42039 vulnerability.

Vendors	Products
Axios	Axios

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42039.

URL	Resource
https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability