Bug 2438237 (CVE-2026-25639) - CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Summary: CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key i...
Keywords:
Status: NEW
Alias: CVE-2026-25639
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2439004 2439005 2439007 2439008 2439010 2439012 2439014 2439015 2439016 2439017 2439018 2439019 2439020 2439021 2439022 2439023 2439024 2439025 2439026 2439027
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-09 21:01 UTC by OSIDB Bzimport
Modified: 2026-02-17 18:47 UTC (History)
116 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-09 21:01:12 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5.
Note You need to log in before you can comment on or make changes to this bug.