CVE-2026-42039: Uncontrolled Recursion Denial of Service in Axios toFormData

CVE-2026-42039 is a high-severity Denial of Service (DoS) vulnerability in Axios, a widely utilized promise-based HTTP client for Node.js and browser environments. The vulnerability originates in the toFormData utility function, which serializes nested JavaScript objects into multipart/form-data or URL-encoded formats. This function is invoked implicitly when developers pass JavaScript objects to HTTP methods with specific content types or as URL parameters.

The root cause is classified as CWE-674: Uncontrolled Recursion. The internal build helper function, responsible for traversing the input object tree, processes nested properties recursively without an explicit depth limit. This implementation assumes that object structures will remain within typical usage boundaries and relies on standard execution stack capacities.

When an attacker submits a maliciously crafted, highly nested JSON object, the recursive traversal continues indefinitely until it exhausts the finite call stack of the JavaScript engine. In server-side Node.js applications, this stack exhaustion throws a synchronous RangeError: Maximum call stack size exceeded exception. Unless explicitly caught by wrapping the Axios call in a defensive try-catch block, this unhandled exception terminates the Node.js process entirely, fulfilling the conditions for a Denial of Service.

The vulnerability resides within the lib/helpers/toFormData.js module, specifically in the internal build function. This function takes an input value, an accumulated path array, and recursively breaks down complex objects into flat key-value pairs suitable for HTTP form submission. Prior to the patch, the function logic verified object types and managed circular references using a stack array, but omitted tracking for recursive descent depth.

JavaScript engines, including V8 used by Node.js, allocate a finite amount of memory for the execution call stack. Each invocation of the build function consumes a stack frame to store local variables, arguments, and return addresses. Without a depth limit, an object nested to thousands of levels forces the engine to allocate a proportional number of stack frames.

While the implementation successfully mitigates infinite loops caused by circular object references, a linear nested structure bypasses this protection. The circular reference check only prevents processing identical object references multiple times. A deeply nested tree of distinct objects evades this check entirely, progressing until the engine's hard limits are reached.

Once the call stack limit is breached, the V8 engine synchronously aborts the current operation and throws a RangeError. Because Axios invokes this serialization process synchronously during request configuration, the exception propagates up the call stack immediately. If the calling application lacks rigorous unhandled exception management, the entire server process crashes.

The vulnerability is resolved by introducing an explicit maxDepth limit during the recursive traversal. The patch modifies lib/helpers/toFormData.js to track the current depth level and abort operations that exceed a configurable threshold.

// Pre-patch vulnerable implementation
function build(value, path) {
  if (utils.isUndefined(value)) return;
  // ... (circular reference tracking via stack)
  
  // Recursive call lacks depth tracking
  build(el, path ? path.concat(key) : [key]);
}

The patched version introduces the maxDepth option, defaulting to 100 levels. The build signature is updated to accept a depth integer, incremented by one on each recursive descent. If depth exceeds maxDepth, the function throws a controlled AxiosError instead of allowing the engine to exhaust the call stack.

// Post-patch secure implementation
const maxDepth = options.maxDepth === undefined ? 100 : options.maxDepth;
 
function build(value, path, depth = 0) {
  if (utils.isUndefined(value)) return;
 
  // Depth guard prevents stack exhaustion
  if (depth > maxDepth) {
    throw new AxiosError(
      'Object is too deeply nested (' + depth + ' levels). Max depth: ' + maxDepth,
      AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED
    );
  }
  // ... (circular reference tracking)
  
  // Recursive call with incremented depth
  build(el, path ? path.concat(key) : [key], depth + 1);
}

This remediation ensures that serialization aborts gracefully. The controlled error returned by Axios can be handled via standard Promise rejection pathways, preserving process stability while rejecting malformed inputs.

Exploiting this vulnerability requires an application to ingest untrusted user input and subsequently pass it to Axios for outbound network requests. The attacker must control the structure of the data payload. Typical exploitation scenarios involve applications proxying user requests to third-party APIs or internal microservices.

The attacker crafts a payload utilizing extreme structural nesting. By formatting a JSON payload where a single key continuously points to a child object, the attacker constructs a linear chain of references. In practical testing, a nesting depth of approximately 2,000 to 2,500 levels consistently triggers the stack exhaustion limit in standard Node.js environments.

const axios = require('axios');
 
// Construct malicious payload with 2500 depth levels
let data = { leaf: "value" };
for (let i = 0; i < 2500; i++) {
    data = { a: data };
}
 
// Trigger vulnerability
try {
    axios.post('https://example.com/api', data, {
        headers: { 'Content-Type': 'multipart/form-data' }
    });
} catch (e) {
    console.error(e); // RangeError: Maximum call stack size exceeded
}

The server receives this object, parses the JSON structure without issue, and forwards the parsed object to Axios. When Axios attempts to serialize the payload for the outbound request, the uncontrolled recursion triggers the process crash. The exploit demands no authentication unless the vulnerable application endpoint requires it, operating entirely over network vectors.

The primary security impact of CVE-2026-42039 is Denial of Service. In Node.js environments, unhandled exceptions resulting from stack exhaustion terminate the running process. An attacker capable of submitting malformed requests continuously can keep the target service offline, leading to total availability loss for the affected component.

While the vulnerability exists in the shared codebase utilized by both Node.js and browser environments, the practical impact diverges significantly. In a browser context, the crash is isolated to the client's current tab or web worker. This local crash limits the attack scope to degrading the individual user's experience rather than compromising infrastructure.

The CVSS v3.1 vector evaluates to 7.5 (High) via CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack requires low complexity, no privileges, and operates over the network. The impact is isolated strictly to availability; the vulnerability offers no pathways for confidentiality breaches, data integrity modification, or remote code execution.

Threat intelligence indicates that while proof-of-concept exploits are publicly available, no active weaponization campaigns currently target this flaw. The EPSS score is exceptionally low at 0.00052, reflecting the targeted nature of the vulnerability. Only applications specifically configured to forward user-provided objects via multipart/form-data or URL encoding routines are susceptible.

The standard remediation path requires updating the axios dependency to version 1.15.1 or 0.31.1. These versions incorporate the recursive depth limit natively, defaulting to a maximum depth of 100 levels. Upgrading replaces the unhandled stack exception with a controlled asynchronous rejection, allowing the application code to handle the error normally.

If immediate dependency updates are not feasible, development teams must implement input validation at the application boundary. Validating incoming JSON requests to ensure maximum object depth stays below 50 levels mitigates the vector before the data reaches the Axios client. This can be achieved through custom middleware or robust schema validation libraries.

For unique use cases requiring extensive data nesting beyond the new 100-level limit, developers can override the threshold via the formSerializer configuration option. Modifying this value should be done meticulously, as allocating excessively high limits restores the vulnerability profile.

// Modifying the limit only when strictly necessary
axios.post('https://example.com/api', largeValidObject, { 
    formSerializer: { maxDepth: 250 } 
});

Setting maxDepth: Infinity intentionally disables the security control and is strongly discouraged. Security teams should scan codebases for this anti-pattern during code review to ensure the mitigation remains effective.