{"url":"http://public2.vulnerablecode.io/api/packages/96215?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","type":"deb","namespace":"debian","name":"node-axios","version":"1.14.0+dfsg-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.15.0-1","latest_non_vulnerable_version":"1.16.0-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66287?format=json","vulnerability_id":"VCID-jpp8-3u2p-8qfn","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25639.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32051","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3187","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32056","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32072","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25639"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25639"},{"reference_url":"https://github.com/axios/axios","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/axios/axios"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907","reference_id":"1127907","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237","reference_id":"2438237","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2438237"},{"reference_url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57","reference_id":"28c721588c7a77e7503d0a434e016f852c597b57","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"},{"reference_url":"https://github.com/axios/axios/pull/7369","reference_id":"7369","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7369"},{"reference_url":"https://github.com/axios/axios/pull/7388","reference_id":"7388","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/pull/7388"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639","reference_id":"CVE-2026-25639","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25639"},{"reference_url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e","reference_id":"d7ff1409c68168d3057fc3891f911b2b92616f9e","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"},{"reference_url":"https://github.com/advisories/GHSA-43fc-jf86-j433","reference_id":"GHSA-43fc-jf86-j433","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433","reference_id":"GHSA-43fc-jf86-j433","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:11414","reference_id":"RHSA-2026:11414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:11414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13542","reference_id":"RHSA-2026:13542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13548","reference_id":"RHSA-2026:13548","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13548"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:25041","reference_id":"RHSA-2026:25041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:25041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3087","reference_id":"RHSA-2026:3087","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3087"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3105","reference_id":"RHSA-2026:3105","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3106","reference_id":"RHSA-2026:3106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3107","reference_id":"RHSA-2026:3107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3109","reference_id":"RHSA-2026:3109","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3109"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4942","reference_id":"RHSA-2026:4942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5142","reference_id":"RHSA-2026:5142","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5142"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5168","reference_id":"RHSA-2026:5168","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5168"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5174","reference_id":"RHSA-2026:5174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5633","reference_id":"RHSA-2026:5633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5636","reference_id":"RHSA-2026:5636","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5636"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5665","reference_id":"RHSA-2026:5665","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6170","reference_id":"RHSA-2026:6170","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6170"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6277","reference_id":"RHSA-2026:6277","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6308","reference_id":"RHSA-2026:6308","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6308"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6309","reference_id":"RHSA-2026:6309","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6309"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6404","reference_id":"RHSA-2026:6404","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6404"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6428","reference_id":"RHSA-2026:6428","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6497","reference_id":"RHSA-2026:6497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6567","reference_id":"RHSA-2026:6567","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6568","reference_id":"RHSA-2026:6568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7249","reference_id":"RHSA-2026:7249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7249"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8218","reference_id":"RHSA-2026:8218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8229","reference_id":"RHSA-2026:8229","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8229"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8499","reference_id":"RHSA-2026:8499","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8499"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8500","reference_id":"RHSA-2026:8500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:8501","reference_id":"RHSA-2026:8501","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:8501"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9848","reference_id":"RHSA-2026:9848","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9848"},{"reference_url":"https://github.com/axios/axios/releases/tag/v0.30.3","reference_id":"v0.30.3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v0.30.3"},{"reference_url":"https://github.com/axios/axios/releases/tag/v1.13.5","reference_id":"v1.13.5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:46Z/"}],"url":"https://github.com/axios/axios/releases/tag/v1.13.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96215?format=json","purl":"pkg:deb/debian/node-axios@1.14.0%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96205?format=json","purl":"pkg:deb/debian/node-axios@1.16.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.16.0-1%3Fdistro=trixie"}],"aliases":["CVE-2026-25639","GHSA-43fc-jf86-j433"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jpp8-3u2p-8qfn"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.14.0%252Bdfsg-1%3Fdistro=trixie"}