CVE-2026-25639
TypeError Crash in Axios mergeConfig Causes Denial of Service
Publication date: 2026-02-09
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axios | axios | to 1.13.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Axios HTTP client before version 1.13.5. The mergeConfig function crashes with a TypeError when it processes configuration objects that contain __proto__ as an own property. An attacker can exploit this by providing a malicious configuration object, for example one created via JSON.parse(), which causes the application to crash completely, resulting in a denial of service.
How can this vulnerability impact me? :
The main impact of this vulnerability is a complete denial of service. An attacker can cause the Axios client to crash by sending a specially crafted configuration object, which disrupts the normal operation of applications relying on Axios for HTTP requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the axios package to version 1.13.5 or later, where the issue has been fixed.