Uncontrolled Recursion in axios

CVE-2026-42039

axios
org.webjars.npm:axios
org.webjars.npm:github-com-axios-axios
org.webjars.npm:github-com-mzabriskie-axios

Medium

6.9/10

Summary

Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, FormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory

Advisory Timeline

Published Apr 24, 2026

Uncontrolled Recursion in axios

CVE-2026-42039

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS