Skip to content

chore(deps): update dependency axios to v1.13.5 [security]#2578

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-axios-vulnerability
Open

chore(deps): update dependency axios to v1.13.5 [security]#2578
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-axios-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 11, 2026

This PR contains the following updates:

Package Change Age Confidence
axios (source) 1.13.41.13.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-25639

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

  1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
  2. Object.keys() includes '__proto__' in the iteration
  3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
  4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
  5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

  • Axios._request() at lib/core/Axios.js:75
  • Axios.getUri() at lib/core/Axios.js:201
  • All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

  1. Clone axios repository or npm install axios
  2. Create file poc.mjs with the code above
  3. Run: node poc.mjs
  4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test Config Result
Normal config {"timeout": 5000} SUCCESS
Malicious config JSON.parse('{"__proto__": {"x": 1}}') CRASH
Nested object {"headers": {"X-Test": "value"}} SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

  • Node.js servers using axios for HTTP requests
  • Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Release Notes

axios/axios (axios)

v1.13.5

Compare Source

Release 1.13.5

Highlights
  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #​7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #​7368)
Changes
Security
  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #​7369)
Fixes
  • Fix/5657. (PR #​7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #​7368)
Features / Improvements
  • Add input validation to isAbsoluteURL. (PR #​7326)
  • Refactor: bump minor package versions. (PR #​7356)
Documentation
  • Clarify object-check comment. (PR #​7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #​7371)
CI / Maintenance
  • Chore: fix issues with YAML. (PR #​7355)
  • CI: update workflow YAMLs. (PR #​7372)
  • CI: fix run condition. (PR #​7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #​7360)
  • Chore(release): prepare release 1.13.5. (PR #​7379)
New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@safedep
Copy link

safedep bot commented Feb 11, 2026
edited
Loading

SafeDep Report Summary

Green Malicious Packages Badge Red Vulnerable Packages Badge Green Risky License Badge

Package Details
Package Malware Vulnerability Risky License Report
icon class-validator @ 0.13.2
pnpm-lock.yaml		 ok icon
 red cross icon
 ok icon
 🔗
icon axios @ 1.13.5
pnpm-lock.yaml		 ok icon
 ok icon
 ok icon
 🔗
icon axios-retry @ 4.5.0
pnpm-lock.yaml		 ok icon
 ok icon
 ok icon
 🔗
icon libphonenumber-js @ 1.12.36
pnpm-lock.yaml		 ok icon
 ok icon
 ok icon
 🔗

This report is generated by SafeDep Github App

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants