QwikSec

Security Database

CVE

CWE

Training

CVE-2026-25639

Published: Feb 9, 2026

Modified: Feb 18, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Vendor	Product	Versions
axios	axios	affected `>= 1.0.0, < 1.13.5` affected `< 0.30.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

x_refsource_CONFIRM

https://github.com/axios/axios/pull/7369

x_refsource_MISC

https://github.com/axios/axios/pull/7388

x_refsource_MISC

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

x_refsource_MISC

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

x_refsource_MISC

https://github.com/axios/axios/releases/tag/v0.30.3

x_refsource_MISC

https://github.com/axios/axios/releases/tag/v1.13.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.