HTTP Down: High-Severity Axios Flaw (CVSS 7.5) Crashes Node.js Servers

A high-severity vulnerability has been discovered in Axios, the immensely popular HTTP client used by millions of developers for Node.js and browser-based applications. The flaw, tracked as CVE-2026-25639, carries a CVSS score of 7.5, exposing a dangerous weakness in how the library handles configuration merging.

The vulnerability lies within the mergeConfig function, a core utility responsible for combining different configuration objects. Researchers found that this function crashes with a TypeError when it encounters a configuration object containing __proto__ as an own property.

The advisory explains the technical failure: “The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property”.

In a standard attack scenario, an attacker provides a malicious JSON payload—such as {“__proto__”: {“x”: 1}}—which the application parses and passes to Axios. Because __proto__ triggers a prototype chain lookup that returns a truthy object (Object.prototype), the internal logic fails, attempting to execute a merge operation on something that isn’t a function.

The impact of this flaw is immediate and disruptive. “An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service,” the report states.

This effectively crashes the Node.js process hosting the application. For servers handling public traffic, a single malicious request could take the entire service offline, requiring a manual restart.

The vulnerability affects any environment where user input is parsed into a configuration object and passed to Axios.

• Affected Environments: “Node.js servers using axios for HTTP” are explicitly named as the primary target.
• Attack Vector: An application that “accepts user input, parses it with JSON.parse(), and passes it to axios configuration” is vulnerable.

The maintainers have responded by releasing a fix in Axios version 1.13.4.

Developers are strongly urged to upgrade to this version or later immediately. Axios 1.13.5 fixes the crash, restoring stability and preventing this simple yet effective DoS attack from taking down production systems.

Related Posts:

• CVE-2025-58754: Axios Vulnerability Puts Node.js Processes at Risk of DoS Attacks
• Popular JavaScript Library ‘Axios’ Exposes Millions to Server-Side Vulnerabilities (CVE-2025-27152)
• Critical Axios Flaw (CVE-2025-54371) in Form-Data Dependency Exposes Millions to HTTP Manipulation