Discovered by researcher jasonsaayman, the flaw, tracked as GHSA-43fc-jf86-j433 strikes when attackers slip a malicious “proto” key into JSON configs.
Published just two days ago, it affects Axios versions up to 1.13.4. Patch now with version 1.13.5.
Axios, a go-to tool for making HTTP requests in JavaScript, handles configs via its mergeConfig function in lib/core/mergeConfig.js.
The bug hides in lines 98-101, where the code loops over object keys from merged configs:
textutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
const merge = mergeMap[prop] || mergeDeepProperties;
const configValue = merge(config1[prop], config2[prop], prop);
// ...
});
Here’s the problem: Feed it a JSON-parsed object like {"__proto__": {"x": 1}}. Object.keys() spots “proto” as its own property.
Then mergeMap['__proto__'] falls back to the prototype chain, grabbing Object.prototype which isn’t a function. Boom: TypeError: merge is not a function at line 100. The server crashes hard.
This hits core Axios flows: Axios._request(), getUri(), and shortcuts like get() or post(). No prototype pollution occurs; the crash stops it cold.
| Aspect | Details |
|---|---|
| ID | GHSA-43fc-jf86-j433 |
| Severity | High |
| Package | axios (npm) |
| Affected | <= 1.13.4 |
| Patched | 1.13.5 |
| CVSS Score | N/A (GHSA-tracked) |
| Attack Vector | Network (user-controlled JSON) |
| Impact | DoS (server crash) |
| Reporter | jasonsaayman (GitHub) |
Clone Axios or npm install axios@1.13.4, then run this in poc.mjs:
javascriptimport axios from "axios";
const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);
Result on vulnerable versions: Instant TypeError crash. Normal configs like {"timeout": 5000} work fine.
Attackers target apps that parse user JSON and feed it to Axios think APIs merging client configs. Node.js backends crumble under the payload, halting service.
| Test Config | Result |
|---|---|
{"timeout": 5000} | SUCCESS |
JSON.parse('{"__proto__": {"x": 1}}') | CRASH |
{"headers": {"X-Test": "value"}} | SUCCESS |
Update to 1.13.5 immediately. Axios fixed it by tweaking mergeMap lookups to dodge prototype pitfalls. Scan your deps with npm audit and test JSON handlers.
This isn’t pollution, but it’s a stark reminder: Validate user input before library handoff.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Axios Vulnerability Allows Attackers to Trigger DoS and Crash Node.js Servers appeared first on Cyber Security News.
While things may be a little up in the air for HBO Max right now,…
Are you tired of being tracked across the internet by advertisers? Do you wish you…
It's March 31 as I write this here in the States, and April 1 already…
Rebecca Yarros' Empyrean series has produced some of the most popular romantasy books the genre…
We're in the final hours of Amazon’s Big Spring Sale, and that means it’s your…
Edward Funderberg, 44, of Rock Falls, was arrested on March 13 for burglarizing a home…
This website uses cookies.