CVE-2026-42039 MEDIUM

CVE-2026-42039: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Vendor Axios
Product axios
Weakness CWE-674
Published April 24, 2026
Last update June 30, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
June 30, 2026 Record updated