VYPR
High severity7.5NVD Advisory· Published Feb 9, 2026· Updated May 21, 2026

CVE-2026-25639

CVE-2026-25639

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
axiosnpm
>= 1.0.0, < 1.13.51.13.5
axiosnpm
< 0.30.30.30.3

Affected products

47

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.