Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
- Severity:
- Medium
Description
toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - CVE-2026-42037
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - CVE-2026-42033
- Parse Server crash via deeply nested query condition operators - CVE-2026-32944
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026


