Skip to content

Update dependency axios to v1.13.5 [SECURITY]#71

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-axios-vulnerability
Open

Update dependency axios to v1.13.5 [SECURITY]#71
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-axios-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
axios (source) 1.12.21.13.5 age confidence

Axios is Vulnerable to Denial of Service via proto Key in mergeConfig

CVE-2026-25639 / GHSA-43fc-jf86-j433

More information

Details

Denial of Service via proto Key in mergeConfig
Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

  1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
  2. Object.keys() includes '__proto__' in the iteration
  3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
  4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
  5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

  • Axios._request() at lib/core/Axios.js:75
  • Axios.getUri() at lib/core/Axios.js:201
  • All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224
PoC
import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

  1. Clone axios repository or npm install axios
  2. Create file poc.mjs with the code above
  3. Run: node poc.mjs
  4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test Config Result
Normal config {"timeout": 5000} SUCCESS
Malicious config JSON.parse('{"__proto__": {"x": 1}}') CRASH
Nested object {"headers": {"X-Test": "value"}} SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

  • Node.js servers using axios for HTTP requests
  • Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

axios/axios (axios)

v1.13.5

Compare Source

This release patches a prototype pollution denial-of-service vulnerability, fixes a missing status field regression in AxiosError, adds interceptor ordering control, and introduces URL validation for isAbsoluteURL.

v1.13.4

Compare Source

Patch release fixing regressions introduced in v1.13.3, including TypeScript export compatibility and CI/build stability.

v1.13.3

Compare Source

Bug Fixes
  • http2: Use port 443 for HTTPS connections by default. (#​7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#​6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#​5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#​5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7257) (7d19335)
  • turn AxiosError into a native error (#​5394) (#​5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#​5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#​7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#​6314) (6ef867e)
Features
Reverts
Contributors to this release

v1.13.2

Compare Source

Bug Fixes
  • http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#​7206) (8d37233)
  • http: use default export for http2 module to support stubs; (#​7196) (0588880)
Performance Improvements
Contributors to this release

v1.13.1

Compare Source

Bug Fixes
  • http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#​7193) (bcd5581)
Contributors to this release

v1.13.0

Compare Source

Bug Fixes
Features
Contributors to this release

1.12.2 (2025-09-14)

Bug Fixes
  • fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#​7030) (cf78825)
Contributors to this release

1.12.1 (2025-09-12)

Bug Fixes
Contributors to this release

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from 31f4cdd to 737b9a3 Compare June 12, 2026 16:03
@renovate
renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from 737b9a3 to ba93ae5 Compare July 17, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants