Impact
An attacker can cause a Denial of Service (DoS) by crashing the application process [S1]. This occurs when the application accepts user-controlled configuration objects and passes them to Axios, which then attempts to merge them using the vulnerable mergeConfig function [S1].
Root Cause
The vulnerability exists in the mergeConfig function of the Axios library [S1]. When processing configuration objects that contain __proto__ as an "own property" (rather than inherited), the function fails to handle the property safely, resulting in a TypeError [S1]. In Node.js environments, an unhandled TypeError typically leads to a process crash, while in browsers, it may disrupt the execution of the current script [S1].
Affected Versions
- Axios versions prior to 0.30.3 [S1]
- Axios versions prior to 1.13.5 [S1]
Fixes
Users should upgrade to Axios version 0.30.3, 1.13.5, or later to resolve this issue [S1]. Developers should also ensure that user-supplied input is sanitized before being used to construct configuration objects for HTTP clients [S1].
How FixVibe could detect it
FixVibe can detect this vulnerability by analyzing project dependency manifests, such as package.json, package-lock.json, or yarn.lock, to identify if the project is using a version of axios that falls within the affected ranges [S1].
