CVE-2026-42039
Denial of Service vulnerability in axios (npm)

Denial of Service No known exploit

What is CVE-2026-42039 About?

This is a Denial of Service vulnerability in Axios's `toFormData` helper, caused by unbounded recursion when walking deeply nested objects. A malicious, deeply nested payload can exhaust the V8 call stack, crashing the Node.js process. The vulnerability is moderately easy to exploit if attacker-controlled input is forwarded via Axios.

Affected Software

  • axios
    • >=1.0.0, <1.15.1
    • <0.31.1

Technical Details

The toFormData helper in Axios contains an inner build(value, path) function that recursively traverses nested objects and arrays. There is no depth limit, leading to a 'Maximum call stack size exceeded' RangeError if a highly nested payload (e.g., 2000+ levels deep) is processed. While a stack array exists to prevent circular references, it does not limit depth. This issue is triggered when toFormData is used for FormData request bodies or AxiosURLSearchParams. In server-side applications that proxy client-supplied JSON through axios({ data, params }), this can crash the worker thread or the entire Node.js process synchronously.

What is the Impact of CVE-2026-42039?

Successful exploitation may allow attackers to crash server-side applications that use Axios to forward client-supplied input, leading to a denial of service for legitimate users.

What is the Exploitability of CVE-2026-42039?

Exploitation requires a remote, unauthenticated attacker to supply a deeply nested JSON object (e.g., thousands of levels deep) as input to an application that uses Axios in a proxying or data-forwarding role. There are no authentication or privilege requirements. The attack is fully remote. The complexity is low to moderate, as it involves crafting a specifically structured JSON payload. The primary constraint is that the application must be passing client-controlled input directly into Axios's data or params options without prior sanitization or depth-limiting checks. This can lead to a synchronous process crash, which is a significant risk factor.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-42039?

Available Upgrade Options

  • axios
    • <0.31.1 → Upgrade to 0.31.1
  • axios
    • >=1.0.0, <1.15.1 → Upgrade to 1.15.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-42039?

Similar Vulnerabilities: CVE-2022-26134 , CVE-2023-38545 , CVE-2023-46726 , CVE-2022-0736

All Rights reserved 2025
Privacy Policy