Resource exhaustion in axios - #VU136906
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in formDataToJSON when parsing attacker-controlled FormData field names with deeply nested bracket segments. A remote attacker can send crafted FormData input to cause a denial of service.
The issue affects direct use of axios.formToJSON() and JSON serialization of FormData when the Content-Type contains application/json.