CVE-2026-25639

High CVSS: 7.5

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Vendor

Axios

Product

Axios

CWE

CWE-754

Yayın Tarihi

2026-02-09 21:15:49

Güncelleme

2026-02-18 18:24:34

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-754 Axios HIGH Axios 2026

Referanslar

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57 https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e https://github.com/axios/axios/pull/7369 https://github.com/axios/axios/pull/7388 https://github.com/axios/axios/releases/tag/v0.30.3 https://github.com/axios/axios/releases/tag/v1.13.5 https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

Benzer Kayıtlar

High

CVE-2025-58754

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to ver…

High

CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather tha…

Unknown

CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a po…