Uncontrolled Recursion in axios - #VU136919
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in lib/helpers/toFormData.js when serializing an object with a top-level key ending in {} and a deeply nested object value. A remote attacker can supply crafted object keys and nested values to trigger a stack overflow and cause a denial of service.
The issue affects form and parameter serialization paths that delegate to toFormData, and the thrown error is a raw RangeError rather than the intended AxiosError depth-limit signal.