CVE-2026-25639 in Axios
Summary
by MITRE • 02/09/2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-25639 affects Axios, a widely-used promise-based HTTP client for both browser and Node.js environments. This issue stems from a critical flaw in the mergeConfig function that handles configuration objects within the library. The vulnerability manifests when the function encounters configuration objects that contain _proto_ as an own property, leading to a TypeError that causes the application to crash completely. The root cause of this vulnerability lies in how Axios processes and merges configuration objects, particularly when dealing with objects that have _proto_ properties that are treated as regular object keys rather than prototype manipulation mechanisms.
The technical exploitation of this vulnerability occurs through malicious configuration objects that are created using JSON.parse() method, which allows attackers to inject _proto_ properties into the configuration structure. When the mergeConfig function attempts to process these objects, it fails to properly handle the _proto_ property, resulting in a TypeError that terminates the application execution. This behavior represents a classic denial of service condition where legitimate application functionality is completely disrupted by malformed input. The vulnerability specifically impacts versions prior to 0.30.3 and 1.13.5 of the Axios library, indicating that these releases contained the necessary defensive mechanisms to prevent such crashes.
The operational impact of this vulnerability extends beyond simple service disruption, as it can affect applications that rely heavily on Axios for API communications and data exchange. When exploited, the vulnerability allows attackers to cause complete application crashes, potentially leading to extended downtime and service unavailability for end users. The vulnerability is particularly concerning because it can be triggered through JSON parsing operations that are commonly used in web applications, making it easily exploitable in environments where user input is processed through JSON parsers. This makes the vulnerability relevant across multiple threat vectors including web applications, server-side rendering environments, and any system that utilizes Axios with potentially untrusted input sources.
The fix implemented in versions 0.30.3 and 1.13.5 addresses this issue by properly sanitizing configuration objects before processing them in the mergeConfig function. These updates ensure that _proto_ properties are handled appropriately without causing TypeError exceptions. From a cybersecurity perspective, this vulnerability aligns with CWE-471, which deals with the improper handling of a variable that can be controlled by an attacker, and represents a specific instance of prototype pollution attacks that can be leveraged for denial of service. The vulnerability also maps to ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion or application crashes, as the exploitation results in complete application termination. Organizations should prioritize updating their Axios dependencies to versions 0.30.3 or 1.13.5 to mitigate this risk, as the fix addresses the core issue without requiring architectural changes to existing applications that utilize the library for HTTP communications.