CVE-2026-25639

Exploit

EPSS 0.05%
Veröffentlicht 09.02.2026 20:11:22
Zuletzt bearbeitet 18.02.2026 18:24:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Axios ≫ Axios SwPlatformnode.js Version < 1.13.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.15

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

Vendor Advisory

Exploit

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

Patch

https://github.com/axios/axios/releases/tag/v1.13.5

Product

Release Notes

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

https://github.com/axios/axios/pull/7369

https://github.com/axios/axios/pull/7388

https://github.com/axios/axios/releases/tag/v0.30.3