Skip to main content

Axios EUVD-2026-25605

| CVE-2026-42039 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-04-24 GitHub_M GHSA-62hf-57xw-28j9
Node.js Denial Of Service Red Hat Suse
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 19:50 nvd
Patch available
Patch available
Apr 24, 2026 - 20:17 EUVD
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today
CVSS changed
Apr 24, 2026 - 18:22 NVD
6.9 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 18:15 euvd
EUVD-2026-25605
Analysis Generated
Apr 24, 2026 - 18:15 vuln.today
CVE Published
Apr 24, 2026 - 18:01 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Denial of service in Axios HTTP client before versions 1.15.1 and 0.31.1 allows remote unauthenticated attackers to crash Node.js processes by sending requests with deeply nested object structures that trigger unbounded recursion in the toFormData function. The vulnerability affects both browser and Node.js environments but is exploitable in server-side Node.js deployments where attacker-controlled data is passed to toFormData without depth validation.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts JSON payload with deep nesting
Delivery
Sends HTTP request to vulnerable Axios endpoint
Exploit
Axios toFormData parses nested object
Execution
Recursive traversal exceeds call stack
Persist
Node.js process crashes with RangeError
Impact
Service unavailable to legitimate clients
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application explicitly calls Axios with request data containing nested objects passed through toFormData conversion. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.9 with AV:N/AC:L/PR:N/UI:N indicates network-accessible remote unauthenticated attack with no special complexity or user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP POST request to a Node.js application using Axios, with a JSON payload containing an object nested 10,000 levels deep (e.g., {a: {b: {c: {...}}}). When the application receives this request and passes the parsed JSON object to Axios toFormData during request preparation (common in APIs that proxy form submissions), the recursive function enters an infinite call stack, causing the Node.js process to crash with RangeError: Maximum call stack size exceeded. …
Remediation Upgrade Axios to version 1.15.1 or later for the 1.x branch, or version 0.31.1 or later for the 0.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25605 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy