CVE-2026-25639 axios CVE debrief

Who should care

Teams using Axios in browser or Node.js applications, especially where configuration data may come from untrusted JSON or other external input, should prioritize this issue.

Technical summary

In affected Axios releases, mergeConfig does not safely handle configuration objects that include __proto__ as an own property. The supplied vulnerability description states that a malicious object created via JSON.parse() can trigger a TypeError during configuration merging. Because the failure occurs during normal processing, the practical impact is availability loss through application crash or request handling disruption. The issue is fixed in Axios 0.30.3 and 1.13.5.

Defensive priority

High. Patch immediately if affected Axios versions are present, particularly in services that accept untrusted configuration or user-influenced settings. The CVSS vector shows a network-reachable, unauthenticated availability impact (AV:N/AC:L/PR:N/UI:N/A:H).

Recommended defensive actions

• Upgrade Axios to version 0.30.3 or later on the 0.x line, or to 1.13.5 or later on the 1.x line.
• Inventory applications and libraries that depend on Axios and confirm which branch they use before upgrading.
• Review any code paths that merge externally supplied configuration objects, especially JSON.parse-derived data.
• Validate patch deployment by checking the installed Axios version in build artifacts and production containers.
• Monitor application errors for TypeError crashes related to configuration merging until remediation is complete.

Evidence notes

NVD marks the CVE as analyzed and assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting a high-severity availability impact. The vendor advisory and linked fixes identify the affected branches and remediation versions, while release notes for v0.30.3 and v1.13.5 confirm the patched releases. The supplied data does not list the CVE in CISA KEV.

Official resources