FixVibe
Research notehigh

Axios Denial of Service via mergeConfig TypeError (CVE-2026-25639)

Axios, a popular promise-based HTTP client for Node.js and the browser, is vulnerable to a Denial of Service (DoS) attack. In affected versions, the mergeConfig function fails to properly handle configuration objects containing __proto__ as an own property, leading to a TypeError that crashes the application process.

CVE-2026-25639CWE-754CWE-1287

Impact

An attacker can cause a Denial of Service (DoS) by crashing the application process [S1]. This occurs when the application accepts user-controlled configuration objects and passes them to Axios, which then attempts to merge them using the vulnerable mergeConfig function [S1].

Root Cause

The vulnerability exists in the mergeConfig function of the Axios library [S1]. When processing configuration objects that contain __proto__ as an "own property" (rather than inherited), the function fails to handle the property safely, resulting in a TypeError [S1]. In Node.js environments, an unhandled TypeError typically leads to a process crash, while in browsers, it may disrupt the execution of the current script [S1].

Affected Versions

  • Axios versions prior to 0.30.3 [S1]
  • Axios versions prior to 1.13.5 [S1]

Fixes

Users should upgrade to Axios version 0.30.3, 1.13.5, or later to resolve this issue [S1]. Developers should also ensure that user-supplied input is sanitized before being used to construct configuration objects for HTTP clients [S1].

How FixVibe could detect it

FixVibe can detect this vulnerability by analyzing project dependency manifests, such as package.json, package-lock.json, or yarn.lock, to identify if the project is using a version of axios that falls within the affected ranges [S1].

Axios Denial of Service via mergeConfig TypeError (CVE-2026-25639) β€” FixVibe research Β· FixVibe