7.5
CVE-2026-25639
- EPSS 2.59%
- Veröffentlicht 09.02.2026 20:11:22
- Zuletzt bearbeitet 09.07.2026 13:16:52
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Axios affected by Denial of Service via __proto__ Key in mergeConfig
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.59% | 0.834 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1287 Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CWE-754 Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57
https://github.com/axios/axios/releases/tag/v1.13.5
https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e
https://github.com/axios/axios/pull/7369
https://github.com/axios/axios/pull/7388
https://github.com/axios/axios/releases/tag/v0.30.3
https://bugzilla.redhat.com/show_bug.cgi?id=2438237
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25639.json
https://access.redhat.com/errata/RHSA-2026:10184
https://access.redhat.com/errata/RHSA-2026:11414
https://access.redhat.com/errata/RHSA-2026:13542
https://access.redhat.com/errata/RHSA-2026:13548
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:4942
https://access.redhat.com/errata/RHSA-2026:5168
https://access.redhat.com/errata/RHSA-2026:5636
https://access.redhat.com/errata/RHSA-2026:5665
https://access.redhat.com/errata/RHSA-2026:5807
https://access.redhat.com/errata/RHSA-2026:6192
https://access.redhat.com/errata/RHSA-2026:6277
https://access.redhat.com/errata/RHSA-2026:6428
https://access.redhat.com/errata/RHSA-2026:6497
https://access.redhat.com/errata/RHSA-2026:6567
https://access.redhat.com/errata/RHSA-2026:6568
https://access.redhat.com/errata/RHSA-2026:7249
https://access.redhat.com/errata/RHSA-2026:8218
https://access.redhat.com/errata/RHSA-2026:8229
https://access.redhat.com/errata/RHSA-2026:9848
https://access.redhat.com/errata/RHSA-2026:6802
https://access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:6174
https://access.redhat.com/errata/RHSA-2026:2694
https://access.redhat.com/errata/RHSA-2026:3087
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:5633
https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433
https://access.redhat.com/errata/RHSA-2026:3105
https://access.redhat.com/errata/RHSA-2026:3106
https://access.redhat.com/errata/RHSA-2026:3107
https://access.redhat.com/errata/RHSA-2026:3109
https://access.redhat.com/errata/RHSA-2026:5142
https://access.redhat.com/errata/RHSA-2026:5174
https://access.redhat.com/errata/RHSA-2026:6170
https://access.redhat.com/errata/RHSA-2026:6308
https://access.redhat.com/errata/RHSA-2026:6309
https://access.redhat.com/errata/RHSA-2026:8499
https://access.redhat.com/errata/RHSA-2026:8500
https://access.redhat.com/errata/RHSA-2026:8501
https://access.redhat.com/security/cve/CVE-2026-25639