Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Description

toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 0.31.0

  >= 1.0.0, < 1.15.1**

• Patched version(s): **0.31.1

  1.15.1**

References

• GHSA-62hf-57xw-28j9
• CVE-2026-42039
• CWE-674
• CAPEC-310
• OWASP 2021-A6

Related Issues

• yaml is vulnerable to Stack Overflow via deeply nested YAML collections - CVE-2026-33532
• Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
• Parse Server crash via deeply nested query condition operators - CVE-2026-32944
• Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - CVE-2026-42033

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

axios