Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Published: 2026-02-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Axios, a promise based HTTP client for browser and Node.js, has a flaw in its mergeConfig function where passing a configuration object with an own __proto__ property causes a TypeError crash. This results in a complete denial of service for the application process that uses Axios. The weakness is a combination of improper handling of prototype properties (CWE-1287) and unvalidated merge logic (CWE-754).

Affected Systems

All Axios users running a version earlier than 0.30.3 or 1.13.5 are vulnerable. This includes machines and applications that build Axios into their JavaScript code for HTTP requests, regardless of the runtime environment (Node.js or browsers).

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity but the EPSS score below 1% shows a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious configuration object—typically via JSON.parse()—to an Axios instance that processes untrusted input. The attack vector is application‑level data injection rather than a remote network attack, meaning it requires the attacker to influence configuration data that is fed into the mergeConfig routine.

Generated by OpenCVE AI on April 17, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 0.30.3 or newer, or to 1.13.5 or newer.
  • Validate all configuration objects before passing them to mergeConfig, ensuring that no __proto__ property is present.
  • Limit the use of mergeConfig to trusted, internal data and avoid merging untrusted configuration objects in production code.

Generated by OpenCVE AI on April 17, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
History

Wed, 18 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5. Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
References

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Mon, 09 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5.
Title Axios affected by Denial of Service via __proto__ Key in mergeConfig
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-18T17:16:16.391Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25639

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:47.277Z

cve-icon NVD

Status : Modified

Published: 2026-02-09T21:15:49.010

Modified: 2026-02-18T18:24:34.120

Link: CVE-2026-25639

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-09T20:11:22Z

Links: CVE-2026-25639 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses