216.73.216.133

CVE-2026-25639

· Published 09/02/2026 21:15 · Modified 09/02/2026 21:55

Labels: CVE-2026-25639 2026-02-09CVE-2026-25639CWE-754[email protected]

Essential information

Published
09/02/2026 21:15
Modified
09/02/2026 21:55
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
axios / axios cpe:2.3:a:axios:axios:<1.13.5:*:*:*:*:*:*:*

References