CVE-2026-25639

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.30.3 Axios versions prior to 1.13.5

Description The mergeConfig() function in Axios crashes with a TypeError when processing configuration objects that contain proto as an own property. This occurs because when proto is present (for example, when created via JSON.parse()), the function performs a prototype chain lookup that returns Object.prototype instead of a function, leading to a crash. A remote attacker can exploit this by providing a malicious configuration object, resulting in a complete denial of service. This issue affects Node.js servers and any backend that passes user-controlled JSON to Axios configuration methods.

Recommendations Update to version 0.30.3 or later. Update to version 1.13.5 or later. As a temporary workaround, avoid passing user-controlled input directly into the Axios configuration object, specifically ensuring that input parsed via JSON.parse() is validated to remove the proto property before being processed by mergeConfig().