{ "threat_severity" : "Important", "public_date" : "2026-04-24T18:01:30Z", "bugzilla" : { "description" : "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data", "id" : "2461630", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461630" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes." ], "affected_release" : [ { "product_name" : "multicluster engine for Kubernetes 2.6", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17657", "cpe" : "cpe:/a:redhat:multicluster_engine:2.6::el9", "package" : "multicluster-engine/console-mce-rhel9:1778511348" }, { "product_name" : "multicluster engine for Kubernetes 2.8", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17699", "cpe" : "cpe:/a:redhat:multicluster_engine:2.8::el9", "package" : "multicluster-engine/console-mce-rhel9:1778383863" }, { "product_name" : "multicluster engine for Kubernetes 2.9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19109", "cpe" : "cpe:/a:redhat:multicluster_engine:2.9::el9", "package" : "multicluster-engine/console-mce-rhel9:1778532610" }, { "product_name" : "Network Observability (NETOBSERV) 1.11.2", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:16874", "cpe" : "cpe:/a:redhat:network_observ_optr:1.11::el9", "package" : "network-observability/network-observability-console-plugin-rhel9:1778510461" }, { "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.10", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:20889", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.10::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:1779293013" }, { "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.9", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:20938", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.9::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:1779371594" }, { "product_name" : "Red Hat Developer Hub 1.8", "release_date" : "2026-05-27T00:00:00Z", "advisory" : "RHSA-2026:21338", "cpe" : "cpe:/a:redhat:rhdh:1.8::el9", "package" : "rhdh/rhdh-hub-rhel9:1779841586" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14937", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-ui-rhel9:1778156756" }, { "product_name" : "Red Hat OpenShift Container Platform 4.2", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:17468", "cpe" : "cpe:/a:redhat:openshift:4.20::el9", "package" : "openshift4/ose-agent-installer-ui-rhel9:1778645099" }, { "product_name" : "Red Hat OpenShift Container Platform 4.21", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:17474", "cpe" : "cpe:/a:redhat:openshift:4.21::el9", "package" : "openshift4/ose-agent-installer-ui-rhel9:1778539338" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3.28", "release_date" : "2026-05-28T00:00:00Z", "advisory" : "RHSA-2026:21772", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9", "package" : "devspaces/code-rhel9:1779814592" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3.28", "release_date" : "2026-05-28T00:00:00Z", "advisory" : "RHSA-2026:21772", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9", "package" : "devspaces/dashboard-rhel9:1779341289" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16476", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/kiali-ossmc-rhel8:1778191473" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16476", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/kiali-rhel8:1778191378" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16534", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/kiali-ossmc-rhel9:1778163785" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16534", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/kiali-rhel9:1778164208" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16532", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/kiali-ossmc-rhel9:1778163935" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16532", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/kiali-rhel9:1778164042" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16535", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/kiali-ossmc-rhel9:1778163792" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16535", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/kiali-rhel9:1778163909" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16542", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/kiali-ossmc-rhel9:1778163785" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16542", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/kiali-rhel9:1778163986" }, { "product_name" : "Red Hat Quay 3.14", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:21017", "cpe" : "cpe:/a:redhat:quay:3.14::el8", "package" : "quay/quay-rhel8:1779689392" }, { "product_name" : "Red Hat Quay 3.16", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19375", "cpe" : "cpe:/a:redhat:quay:3.16::el9", "package" : "quay/quay-rhel9:1779204086" } ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Gatekeeper 3", "fix_state" : "Not affected", "package_name" : "gatekeeper/gatekeeper-rhel9", "cpe" : "cpe:/a:redhat:gatekeeper:3" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Affected", "package_name" : "mta/mta-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Affected", "package_name" : "mta/mta-ui-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Migration Toolkit for Containers", "fix_state" : "Affected", "package_name" : "rhmtc/openshift-migration-ui-rhel8", "cpe" : "cpe:/a:redhat:rhmt:1" }, { "product_name" : "Network Observability Operator", "fix_state" : "Affected", "package_name" : "network-observability/network-observability-console-plugin-compat-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/kiali-operator-bundle", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/kiali-rhel9-operator", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "3scale-amp21/system", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "3scale-amp22/system", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "3scale-amp2/system-rhel7", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "3scale-amp2/system-rhel8", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "3scale-amp2/system-rhel9", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/console-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/gateway-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-gateway", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "automation-hub", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-platform-ui", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3.11-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "python3.12-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3x-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "apicurio/apicurio-registry-ui-rhel8", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "apicurio/apicurio-registry-ui-rhel9", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat Build of Podman Desktop - Tech Preview", "fix_state" : "Will not fix", "package_name" : "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10", "cpe" : "cpe:/a:redhat:podman_desktop:0" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/bootc-rocm-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "rhelai3/disk-image-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Not affected", "package_name" : "boost", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-dashboard-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-gen-ai-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-maas-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-mod-arch-model-registry-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-console-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-monitoring-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Not affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-advisor-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-host-inventory-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-vulnerability-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Not affected", "package_name" : "rhtas/rhtas-console-ui-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Profile Analyzer", "fix_state" : "Not affected", "package_name" : "rhtpa/rhtpa-trustification-service-rhel9", "cpe" : "cpe:/a:redhat:trusted_profile_analyzer:2" }, { "product_name" : "Self-service automation portal 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-portal", "cpe" : "cpe:/a:redhat:ansible_portal:2" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42039\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42039\nhttps://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9" ], "name" : "CVE-2026-42039", "csaw" : false }