CVE-2026-42039 Overview
A Denial of Service vulnerability exists in Axios, a widely-used promise-based HTTP client for browser and Node.js environments. The vulnerability resides in the toFormData function, which recursively processes nested objects without implementing a depth limit. When an attacker supplies a deeply nested object as request data, the recursive processing exhausts the call stack, causing the Node.js process to crash with a RangeError.
Critical Impact
Attackers can crash Node.js applications using Axios by submitting deeply nested request payloads, leading to service unavailability for legitimate users.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Applications using Axios for HTTP request handling in Node.js environments
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-42039 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42039
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion). The toFormData utility function in Axios is designed to convert JavaScript objects into FormData format for HTTP requests. However, the implementation lacks proper recursion depth controls when traversing nested object structures.
When processing request data, the function recursively walks through all nested properties without checking how deep the object hierarchy extends. This design flaw allows malicious actors to craft payloads with extreme nesting levels that exceed Node.js's default call stack size, triggering a RangeError: Maximum call stack size exceeded error and terminating the process.
The network-accessible nature of this vulnerability means any endpoint accepting user-controlled data that gets processed through toFormData could be exploited without authentication.
Root Cause
The root cause is the absence of recursion depth validation in the toFormData function. The function iterates through object properties using recursive calls without implementing a maximum depth counter or iterative approach. This oversight allows unbounded stack growth when processing deeply nested input structures, eventually exceeding JavaScript engine limits.
Attack Vector
Exploitation occurs over the network when an attacker sends an HTTP request containing a deeply nested JSON object to a vulnerable application endpoint. The attack requires no authentication or user interaction. When the application attempts to convert this payload to FormData using the vulnerable Axios function, the excessive recursion depth causes the Node.js runtime to crash.
The attack payload consists of an object nested hundreds or thousands of levels deep, structured to maximize stack consumption during the recursive traversal. Since the vulnerability affects availability rather than confidentiality or integrity, the primary impact is service disruption.
Detection Methods for CVE-2026-42039
Indicators of Compromise
- Node.js process crashes with RangeError: Maximum call stack size exceeded errors
- Repeated application restarts or process manager interventions
- HTTP requests containing abnormally nested JSON payloads in logs
- Unusual memory or CPU patterns preceding process termination
Detection Strategies
- Monitor application logs for RangeError exceptions originating from Axios module paths
- Implement request payload depth analysis at the API gateway or WAF level
- Deploy runtime application self-protection (RASP) to detect excessive recursion patterns
- Audit package.json and package-lock.json for vulnerable Axios versions (< 1.15.1 or < 0.31.1)
Monitoring Recommendations
- Configure alerting on Node.js process crashes and unexpected restarts
- Implement request body size and complexity limits at load balancer or reverse proxy
- Enable detailed error logging for HTTP request handlers
- Monitor for patterns of requests with deeply nested JSON structures
How to Mitigate CVE-2026-42039
Immediate Actions Required
- Update Axios to version 1.15.1 or later for the 1.x branch
- Update Axios to version 0.31.1 or later for the 0.x branch
- Review all applications using Axios and prioritize updates for internet-facing services
- Implement input validation to reject requests with excessive object nesting depth
Patch Information
The Axios maintainers have released security patches addressing this vulnerability. Version 1.15.1 and version 0.31.1 include fixes that implement proper recursion depth limits in the toFormData function. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Implement middleware to validate and limit JSON object nesting depth before processing
- Configure request body parsers with strict depth limits
- Use API gateway rules to reject payloads exceeding a reasonable nesting threshold
- Deploy web application firewall rules to filter deeply nested request bodies
# Update Axios to patched version
npm update axios@1.15.1
# Verify installed version
npm list axios
# Alternative: Update using yarn
yarn upgrade axios@1.15.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
