CVE-2026-42039
Published: 24 April 2026
Summary
CVE-2026-42039 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Axios Axios. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating flaws in third-party libraries like Axios by timely patching to fixed versions (1.15.1 or 0.31.1) directly eliminates the uncontrolled recursion vulnerability.
Validating the structure and depth of incoming request data objects prevents processing of deeply nested payloads that trigger the Axios toFormData recursion crash.
Vulnerability scanning of dependencies detects vulnerable Axios versions, enabling proactive flaw remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of uncontrolled recursion in Axios toFormData, directly causing Node.js process crash and denial of service, mapping to Application or System Exploitation under Endpoint Denial of Service.
NVD Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with…
more
a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.
Deeper analysisAI
CVE-2026-42039 affects Axios, a promise-based HTTP client library used in browsers and Node.js environments. In versions prior to 1.15.1 (for the 1.x branch) and 0.31.1 (for the 0.x branch), the `toFormData` function recursively traverses nested objects without any depth limitation. When a deeply nested object is passed as request data, this unbounded recursion triggers a RangeError, causing the Node.js process to crash. The vulnerability is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.
A remote, unauthenticated attacker can exploit this vulnerability by crafting and sending HTTP requests containing deeply nested objects as form data to any application relying on a vulnerable Axios version in a Node.js backend. No user interaction or privileges are required, and exploitation is straightforward over the network with low complexity. Successful exploitation results in a denial-of-service condition, as the targeted Node.js process terminates abruptly due to the stack overflow from recursion.
The official GitHub security advisory (GHSA-62hf-57xw-28j9) confirms the issue and states that it is fully remediated by upgrading to Axios 1.15.1 or 0.31.1, which introduce recursion depth limits in the `toFormData` function. Security practitioners should audit dependencies, prioritize updates for Node.js applications using Axios, and consider input validation on request data as an interim measure.
Details
- CWE(s)