Axios Vulnerability Allows DoS and Crashes Node Attackers Triggers
A high-severity security flaw has been identified in Axios, one of the most popular HTTP client libraries used within the JavaScript ecosystem. The vulnerability, tracked as CVE-2026-25639, allows...
A high-severity security flaw has been identified in Axios, one of the most popular HTTP client libraries used within the JavaScript ecosystem.
The vulnerability, tracked as CVE-2026-25639, allows remote attackers to trigger a Denial-of-Service (DoS) condition, effectively crashing Node.js servers with a single malicious request.
The flaw lies in Axios’s mergeConfig function, which combines different configuration objects. The crash occurs when the function processes a configuration object that contains __proto__ as a key.
By default, Axios iterates over configuration properties to merge them. However, if an attacker supplies a malicious JSON object containing __proto__, the internal logic fails.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-25639 |
| Severity | High (CVSS 7.5) |
| Affected Package | axios (npm) |
| Affected Versions | <= 1.13.4 |
| Impact | Denial of Service (Server Crash) |
| Attack Vector | Network (Remote) |
Axios attempts to look up a merge strategy but inadvertently retrieves Object.prototype. The code then tries to call this prototype as if it were a function.
Since Object.prototype is an object and not a function, the application throws a TypeError and crashes instantly.
This is distinct from “Prototype Pollution” vulnerabilities. In this case, the application crashes before any properties can be polluted.
The attack vector is relatively simple, earning it a “Low” attack complexity rating. It specifically targets applications that:
Accept user-controlled input (like a JSON body). Parse that input using JSON.parse(). Pass the resulting Object into an Axios configuration (e.g., axios. get(url, userConfig)).
By sending a payload like {“__proto__”: {“x”: 1}}, an attacker can force the server to terminate, taking the service offline for all users.
According to an Axios advisory, the issue affects all Axios versions up to 1.13.4, and developers are urged to upgrade to version 1.13.5 immediately.
The maintainers have released a patch in version 1.13.5 that correctly handles the __proto__ key to prevent the type error. Users should update their dependencies using npm or yarn immediately.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.