VulnerableCode Package Details - pkg:npm/axios@1.13.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-x41s-g5mh-pkdq Aliases: CVE-2026-25639 GHSA-43fc-jf86-j433	Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig # Denial of Service via proto Key in mergeConfig ### Summary The `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service. ### Details The vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101: ```javascript utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) { const merge = mergeMap[prop] \|\| mergeDeepProperties; const configValue = merge(config1[prop], config2[prop], prop); (utils.isUndefined(configValue) && merge !== mergeDirectKeys) \|\| (config[prop] = configValue); }); ``` When `prop` is `'__proto__'`: 1. `JSON.parse('{"__proto__": {...}}')` creates an object with `__proto__` as an own enumerable property 2. `Object.keys()` includes `'__proto__'` in the iteration 3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object) 4. The expression `mergeMap[prop] \|\| mergeDeepProperties` evaluates to `Object.prototype` 5. `Object.prototype(...)` throws `TypeError: merge is not a function` The `mergeConfig` function is called by: - `Axios._request()` at `lib/core/Axios.js:75` - `Axios.getUri()` at `lib/core/Axios.js:201` - All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224` ### PoC ```javascript import axios from "axios"; const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}'); await axios.get("https://httpbin.org/get", maliciousConfig); ``` Reproduction steps: 1. Clone axios repository or `npm install axios` 2. Create file `poc.mjs` with the code above 3. Run: `node poc.mjs` 4. Observe the TypeError crash Verified output (axios 1.13.4): ``` TypeError: merge is not a function at computeConfigValue (lib/core/mergeConfig.js:100:25) at Object.forEach (lib/utils.js:280:10) at mergeConfig (lib/core/mergeConfig.js:98:9) ``` Control tests performed: \| Test \| Config \| Result \| \|------\|--------\|--------\| \| Normal config \| `{"timeout": 5000}` \| SUCCESS \| \| Malicious config \| `JSON.parse('{"__proto__": {"x": 1}}')` \| CRASH \| \| Nested object \| `{"headers": {"X-Test": "value"}}` \| SUCCESS \| Attack scenario: An application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{"__proto__": {"x": 1}}`. ### Impact Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload. Affected environments: - Node.js servers using axios for HTTP requests - Any backend that passes parsed JSON to axios configuration This is NOT prototype pollution - the application crashes before any assignment occurs.	1.13.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-x41s-g5mh-pkdq
Aliases:
CVE-2026-25639
GHSA-43fc-jf86-j433

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig # Denial of Service via **proto** Key in mergeConfig ### Summary The `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service. ### Details The vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101: ```javascript utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) { const merge = mergeMap[prop] || mergeDeepProperties; const configValue = merge(config1[prop], config2[prop], prop); (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue); }); ``` When `prop` is `'__proto__'`: 1. `JSON.parse('{"__proto__": {...}}')` creates an object with `__proto__` as an own enumerable property 2. `Object.keys()` includes `'__proto__'` in the iteration 3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object) 4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype` 5. `Object.prototype(...)` throws `TypeError: merge is not a function` The `mergeConfig` function is called by: - `Axios._request()` at `lib/core/Axios.js:75` - `Axios.getUri()` at `lib/core/Axios.js:201` - All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224` ### PoC ```javascript import axios from "axios"; const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}'); await axios.get("https://httpbin.org/get", maliciousConfig); ``` **Reproduction steps:** 1. Clone axios repository or `npm install axios` 2. Create file `poc.mjs` with the code above 3. Run: `node poc.mjs` 4. Observe the TypeError crash **Verified output (axios 1.13.4):** ``` TypeError: merge is not a function at computeConfigValue (lib/core/mergeConfig.js:100:25) at Object.forEach (lib/utils.js:280:10) at mergeConfig (lib/core/mergeConfig.js:98:9) ``` **Control tests performed:** | Test | Config | Result | |------|--------|--------| | Normal config | `{"timeout": 5000}` | SUCCESS | | Malicious config | `JSON.parse('{"__proto__": {"x": 1}}')` | **CRASH** | | Nested object | `{"headers": {"X-Test": "value"}}` | SUCCESS | **Attack scenario:** An application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{"__proto__": {"x": 1}}`. ### Impact **Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload. Affected environments: - Node.js servers using axios for HTTP requests - Any backend that passes parsed JSON to axios configuration This is NOT prototype pollution - the application crashes before any assignment occurs.

1.13.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-kgnf-z6ca-tqgp	Axios HTTP/2 Session Cleanup State Corruption Vulnerability	CVE-2026-39865 GHSA-qj83-cq47-w5f8

Vulnerability

Summary

Aliases

VCID-kgnf-z6ca-tqgp

Axios HTTP/2 Session Cleanup State Corruption Vulnerability

CVE-2026-39865
GHSA-qj83-cq47-w5f8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:16:53.209835+00:00	GitLab Importer	Affected by	VCID-x41s-g5mh-pkdq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/axios/CVE-2026-25639.yml	38.4.0
2026-04-14T02:42:41.264922+00:00	GHSA Importer	Fixing	VCID-kgnf-z6ca-tqgp	https://github.com/advisories/GHSA-qj83-cq47-w5f8	38.3.0
2026-04-12T01:41:04.637108+00:00	GitLab Importer	Affected by	VCID-x41s-g5mh-pkdq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/axios/CVE-2026-25639.yml	38.3.0
2026-04-09T22:49:46.383292+00:00	GithubOSV Importer	Fixing	VCID-kgnf-z6ca-tqgp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qj83-cq47-w5f8/GHSA-qj83-cq47-w5f8.json	38.1.0
2026-04-08T19:02:31.287277+00:00	GHSA Importer	Fixing	VCID-kgnf-z6ca-tqgp	https://github.com/advisories/GHSA-qj83-cq47-w5f8	38.1.0
2026-04-03T01:49:58.280862+00:00	GitLab Importer	Affected by	VCID-x41s-g5mh-pkdq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/axios/CVE-2026-25639.yml	38.1.0