CVE-2026-42039
published 2026-04-24CVE-2026-42039: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit…
medium6.9CVSS 4.0
AVNACLATNPRNUINVCNVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp22 | system | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| axios | axios | < 0.31.1 | 0.31.1 |
| axios | axios | — | — |
| axios | axios | — | — |
| axios | axios | >= 0 < 0.31.1 | 0.31.1 |
| axios | axios | >= 1.0.0 < 1.15.1 | 1.15.1 |
| axios | axios | >= 1.0.0 < 1.15.1 | 1.15.1 |
| boost | boost | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |