The vulnerability, tracked as CVE-2026-25639, allows remote attackers to trigger a Denial-of-Service (DoS) condition, effectively crashing Node.js servers with a single malicious request.
The flaw lies in Axios’s mergeConfig function, which combines different configuration objects. The crash occurs when the function processes a configuration object that contains __proto__ as a key.
By default, Axios iterates over configuration properties to merge them. However, if an attacker supplies a malicious JSON object containing __proto__, the internal logic fails.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-25639 |
| Severity | High (CVSS 7.5) |
| Affected Package | axios (npm) |
| Affected Versions | <= 1.13.4 |
| Impact | Denial of Service (Server Crash) |
| Attack Vector | Network (Remote) |
Axios attempts to look up a merge strategy but inadvertently retrieves Object.prototype. The code then tries to call this prototype as if it were a function.
Since Object.prototype is an object and not a function, the application throws a TypeError and crashes instantly.
This is distinct from “Prototype Pollution” vulnerabilities. In this case, the application crashes before any properties can be polluted.
The attack vector is relatively simple, earning it a “Low” attack complexity rating. It specifically targets applications that:
Accept user-controlled input (like a JSON body). Parse that input using JSON.parse(). Pass the resulting Object into an Axios configuration (e.g., axios. get(url, userConfig)).
By sending a payload like {“__proto__”: {“x”: 1}}, an attacker can force the server to terminate, taking the service offline for all users.
According to an Axios advisory, the issue affects all Axios versions up to 1.13.4, and developers are urged to upgrade to version 1.13.5 immediately.
The maintainers have released a patch in version 1.13.5 that correctly handles the __proto__ key to prevent the type error. Users should update their dependencies using npm or yarn immediately.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Axios Vulnerability Let Attackers Triggers DoS Condition and Crash Node.js Servers appeared first on Cyber Security News.
It’s your last chance to save during Amazon’s Big Spring Sale. However, it’s not the…
Amazon's Big Spring Sale is almost over, and now is the time to score deals…
Amazon's Big Spring Sale is here, and there are many great video game deals out…
Sony shocked everyone recently by announcing global price increases for all PS5 consoles, which go…
Call of Duty fans are up in arms after Activision announced a first look at…
ABILENE, Texas (KTAB/KRBC) - The Abilene Independent School District has announced the area’s first advanced…
This website uses cookies.