CVE-2026-25639NVD

Vulnerability Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Severity Level

HIGH(7.5)

Published Date

Feb 9, 2026

Last Modified

May 21, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.05%Probability

Root Weakness (CWE)

CWE-754: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityNone

IntegrityNone

AvailabilityHigh

External References

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57
https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e
https://github.com/axios/axios/pull/7369
https://github.com/axios/axios/pull/7388
https://github.com/axios/axios/releases/tag/v0.30.3
https://github.com/axios/axios/releases/tag/v1.13.5
https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

Critical Alert 3 Active Exploits Detected Today

Critical Alert

CVE Watchtower

CVE-2026-25639NVD

Vulnerability Summary

External References