CVE-2026-25639

Medienbericht

Exploit

EPSS 0.07%
Veröffentlicht 09.02.2026 20:11:22
Zuletzt bearbeitet 18.02.2026 18:24:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Axios affected by Denial of Service via __proto__ Key in mergeConfig

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Axios ≫ Axios SwPlatformnode.js Version < 1.13.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.207

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

Media Report

https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433

Vendor Advisory

Exploit

https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57

Patch

https://github.com/axios/axios/releases/tag/v1.13.5

Product

Release Notes

https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e

https://github.com/axios/axios/pull/7369