Update dependency axios to v1.13.5 [SECURITY]#71
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
June 12, 2026 16:03
31f4cdd to
737b9a3
Compare
renovate
Bot
force-pushed
the
renovate/npm-axios-vulnerability
branch
from
July 17, 2026 12:33
737b9a3 to
ba93ae5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.12.2→1.13.5Axios is Vulnerable to Denial of Service via proto Key in mergeConfig
CVE-2026-25639 / GHSA-43fc-jf86-j433
More information
Details
Denial of Service via proto Key in mergeConfig
Summary
The
mergeConfigfunction in axios crashes with a TypeError when processing configuration objects containing__proto__as an own property. An attacker can trigger this by providing a malicious configuration object created viaJSON.parse(), causing complete denial of service.Details
The vulnerability exists in
lib/core/mergeConfig.jsat lines 98-101:When
propis'__proto__':JSON.parse('{"__proto__": {...}}')creates an object with__proto__as an own enumerable propertyObject.keys()includes'__proto__'in the iterationmergeMap['__proto__']performs prototype chain lookup, returningObject.prototype(truthy object)mergeMap[prop] || mergeDeepPropertiesevaluates toObject.prototypeObject.prototype(...)throwsTypeError: merge is not a functionThe
mergeConfigfunction is called by:Axios._request()atlib/core/Axios.js:75Axios.getUri()atlib/core/Axios.js:201get,post, etc.) atlib/core/Axios.js:211,224PoC
Reproduction steps:
npm install axiospoc.mjswith the code abovenode poc.mjsVerified output (axios 1.13.4):
Control tests performed:
{"timeout": 5000}JSON.parse('{"__proto__": {"x": 1}}'){"headers": {"X-Test": "value"}}Attack scenario:
An application that accepts user input, parses it with
JSON.parse(), and passes it to axios configuration will crash when receiving the payload{"__proto__": {"x": 1}}.Impact
Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.
Affected environments:
This is NOT prototype pollution - the application crashes before any assignment occurs.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
axios/axios (axios)
v1.13.5Compare Source
This release patches a prototype pollution denial-of-service vulnerability, fixes a missing
statusfield regression inAxiosError, adds interceptor ordering control, and introduces URL validation forisAbsoluteURL.v1.13.4Compare Source
Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.
v1.13.3Compare Source
Bug Fixes
Features
undefinedas a value in AxiosRequestConfig (#5560) (095033c)Reverts
Contributors to this release
v1.13.2Compare Source
Bug Fixes
Performance Improvements
Contributors to this release
v1.13.1Compare Source
Bug Fixes
Contributors to this release
v1.13.0Compare Source
Bug Fixes
Features
Contributors to this release
1.12.2 (2025-09-14)
Bug Fixes
Contributors to this release
1.12.1 (2025-09-12)
Bug Fixes
Contributors to this release
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.