Uncontrolled Recursion in axios - #VU136907
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in formDataToJSON when processing attacker-controlled FormData field names during FormData-to-JSON conversion. A remote attacker can supply a crafted FormData field name with deeply nested bracket segments to cause a denial of service.
The vulnerable request-transform path is reached when FormData is sent with an application/json content type, and direct use of formToJSON() throws synchronously.