Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25639.json",
"cwe_ids": [
"CWE-754"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.30.3"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.13.5"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}