{"url":"http://public2.vulnerablecode.io/api/packages/906412?format=json","purl":"pkg:npm/axios@1.13.2","type":"npm","namespace":"","name":"axios","version":"1.13.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.13.5","latest_non_vulnerable_version":"1.15.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20921?format=json","vulnerability_id":"VCID-x41s-g5mh-pkdq","summary":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig\n# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n  const merge = mergeMap[prop] || mergeDeepProperties;\n  const configValue = merge(config1[prop], config2[prop], prop);\n  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n    at computeConfigValue (lib/core/mergeConfig.js:100:25)\n    at Object.forEach (lib/utils.js:280:10)\n    at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15752","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15795","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15798","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1578","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15744","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1582","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15889","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15802","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1594","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.15927","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1595","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16003","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16649","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"},{"reference_url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"},{"reference_url":"https://github.com/axios/axios/pull/7369","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7369"},{"reference_url":"https://github.com/axios/axios/pull/7388","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7388"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/axios/axios/releases/tag/v0.30.0"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.3"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.5"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907","reference_id":"1127907","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237","reference_id":"2438237","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237"},{"reference_url":"https://github.com/advisories/GHSA-43fc-jf86-j433","reference_id":"GHSA-43fc-jf86-j433","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11414","reference_id":"RHSA-2026:11414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13542","reference_id":"RHSA-2026:13542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13548","reference_id":"RHSA-2026:13548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3087","reference_id":"RHSA-2026:3087","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3087"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3105","reference_id":"RHSA-2026:3105","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3106","reference_id":"RHSA-2026:3106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3107","reference_id":"RHSA-2026:3107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3109","reference_id":"RHSA-2026:3109","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3109"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4942","reference_id":"RHSA-2026:4942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5142","reference_id":"RHSA-2026:5142","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5142"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5168","reference_id":"RHSA-2026:5168","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5168"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5174","reference_id":"RHSA-2026:5174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5636","reference_id":"RHSA-2026:5636","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5636"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5665","reference_id":"RHSA-2026:5665","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6170","reference_id":"RHSA-2026:6170","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6170"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6277","reference_id":"RHSA-2026:6277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6308","reference_id":"RHSA-2026:6308","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6308"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6309","reference_id":"RHSA-2026:6309","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6309"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6404","reference_id":"RHSA-2026:6404","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6404"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6428","reference_id":"RHSA-2026:6428","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6497","reference_id":"RHSA-2026:6497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6567","reference_id":"RHSA-2026:6567","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6568","reference_id":"RHSA-2026:6568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7249","reference_id":"RHSA-2026:7249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7249"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8218","reference_id":"RHSA-2026:8218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8229","reference_id":"RHSA-2026:8229","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8229"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8499","reference_id":"RHSA-2026:8499","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8499"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8500","reference_id":"RHSA-2026:8500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8501","reference_id":"RHSA-2026:8501","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8501"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9848","reference_id":"RHSA-2026:9848","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9848"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62853?format=json","purl":"pkg:npm/axios@1.13.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.5"}],"aliases":["CVE-2026-25639","GHSA-43fc-jf86-j433"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x41s-g5mh-pkdq"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350545?format=json","vulnerability_id":"VCID-kgnf-z6ca-tqgp","summary":"Axios HTTP/2 Session Cleanup State Corruption Vulnerability","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39865.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39865.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39865","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01675","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01685","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.017","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.031","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03544","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03412","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03423","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03542","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03538","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39865"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39865","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39865"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.2"},{"reference_url":"https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5","reference_id":"0588880ac7ddba7594ef179930493884b7e90bf5","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456538","reference_id":"2456538","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2456538"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39865","reference_id":"CVE-2026-39865","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39865"},{"reference_url":"https://github.com/advisories/GHSA-qj83-cq47-w5f8","reference_id":"GHSA-qj83-cq47-w5f8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qj83-cq47-w5f8"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8","reference_id":"GHSA-qj83-cq47-w5f8","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:44Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/906412?format=json","purl":"pkg:npm/axios@1.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x41s-g5mh-pkdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.2"}],"aliases":["CVE-2026-39865","GHSA-qj83-cq47-w5f8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kgnf-z6ca-tqgp"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.13.2"}