CVE-2026-25639 Overview
CVE-2026-25639 is a Denial of Service vulnerability affecting Axios, a popular promise-based HTTP client for both browser and Node.js environments. Prior to version 1.13.5, the mergeConfig function in Axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service in applications relying on Axios for HTTP requests.
Critical Impact
Applications using Axios versions prior to 1.13.5 can be crashed completely by malicious configuration input, leading to service unavailability.
Affected Products
- Axios versions prior to 1.13.5
- Node.js applications using vulnerable Axios versions
- Browser applications using vulnerable Axios versions
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-25639 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25639
Vulnerability Analysis
This vulnerability is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions). The core issue lies in the mergeConfig function within lib/core/mergeConfig.js, which fails to properly handle configuration objects that contain __proto__ as an own property rather than as a prototype chain reference.
When Axios processes configuration objects, the mergeConfig function merges user-provided settings with default configurations. However, when an attacker supplies a configuration object created through JSON.parse() that includes __proto__ as an actual property key, the function encounters unexpected behavior and throws a TypeError, crashing the application.
The attack is particularly effective because JSON.parse() treats __proto__ as a regular property rather than a special prototype accessor, allowing malicious input to bypass typical JavaScript prototype handling expectations.
Root Cause
The root cause is improper validation of exceptional input conditions in the configuration merging logic. The mergeConfig function did not anticipate or handle the scenario where configuration objects would contain __proto__ as an own enumerable property rather than inheriting it from the prototype chain. This oversight allows crafted JSON payloads to trigger unhandled exceptions during the merge operation.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending a malicious request to an application that passes user-controlled data to Axios configuration
- Including a JSON payload with __proto__ as a direct property key
- When the application parses this JSON and uses it in Axios configuration, the mergeConfig function crashes
The attack payload can be delivered through any input vector that eventually reaches Axios configuration, including API request bodies, query parameters, or header values that are processed and merged into Axios configs.
-'use strict';
+"use strict";
-import utils from '../utils.js';
+import utils from "../utils.js";
import AxiosHeaders from "./AxiosHeaders.js";
-const headersToObject = (thing) => thing instanceof AxiosHeaders ? { ...thing } : thing;
+const headersToObject = (thing) =>
+ thing instanceof AxiosHeaders ? { ...thing } : thing;
/**
* Config-specific merge-function which creates a new config-object
Source: GitHub Commit for axios
Detection Methods for CVE-2026-25639
Indicators of Compromise
- Application crashes with TypeError exceptions originating from Axios mergeConfig function
- Unexpected service restarts or container failures in Node.js applications using Axios
- Error logs showing unhandled exceptions in lib/core/mergeConfig.js
- Incoming requests containing __proto__ in JSON payloads targeting configuration endpoints
Detection Strategies
- Monitor application error logs for TypeError exceptions in Axios-related code paths
- Implement request inspection rules to detect JSON payloads containing __proto__ as a property key
- Deploy application performance monitoring (APM) to detect sudden crash patterns or service degradation
- Review dependency manifests to identify applications using Axios versions prior to 1.13.5
Monitoring Recommendations
- Enable detailed logging for Axios configuration processing in development and staging environments
- Set up alerts for elevated crash rates or restart loops in production applications
- Monitor for anomalous patterns in incoming request payloads, particularly nested JSON structures
- Track Axios version usage across your infrastructure using software composition analysis (SCA) tools
How to Mitigate CVE-2026-25639
Immediate Actions Required
- Upgrade Axios to version 1.13.5 or later immediately across all affected applications
- Audit applications to identify where user-controlled input may flow into Axios configuration objects
- Implement input validation to sanitize JSON payloads before they reach Axios configuration logic
- Consider deploying WAF rules to block requests containing __proto__ in JSON payloads as a temporary measure
Patch Information
The vulnerability is fixed in Axios version 1.13.5. The patch addresses the improper exception handling in the mergeConfig function by adding proper validation for unusual property names including __proto__. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-43fc-jf86-j433 and the GitHub Release v1.13.5.
Workarounds
- Implement server-side input validation to strip or reject __proto__ properties from JSON payloads before processing
- Use object creation patterns like Object.create(null) for configuration objects to prevent prototype pollution vectors
- Deploy middleware that sanitizes incoming JSON data by recursively removing dangerous property names
- Consider wrapping Axios calls in try-catch blocks to prevent application crashes while working toward the official patch
# Configuration example
# Upgrade Axios to patched version
npm update axios@1.13.5
# Or install specific version
npm install axios@1.13.5
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
