VulWall Team March 19, 2026 4 min read

Axios Library Flaw Lets Attackers Crash Your Backend Service (CVE-2026-25639)

Your application uses a popular networking library called Axios to make web requests. A flaw in this library means that if your app accepts data from users, parses it as JSON, and passes it into Axios, an attacker can send a single specially crafted request that instantly crashes your server. Think of it like a specific combination lock that, when entered, causes the door to fall off its hinges rather than just staying locked.

OWASP A06 Effort: trivial Exploitable
dos denial-of-service axios nodejs prototype cve npm json-parse mergeconfig

Business Impact And Actions

high urgency

Business Impact

If your backend is vulnerable, an attacker can repeatedly send this one-line payload to take your API or service offline — no login required, no special skills needed. This means potential downtime for your customers, missed transactions, and SLA breaches. If your service has uptime commitments or operates in a regulated industry, this could also trigger compliance or contractual obligations.

What To Do

  1. Ask your developer to check which version of Axios your project uses — if it's below version 1.13.5, it needs to be updated immediately.
  2. Have your developer upgrade Axios to version 1.13.5 or later (ideally the latest 1.13.6). This is a straightforward dependency update that typically takes under 30 minutes.
  3. If an immediate upgrade isn't possible, ask your developer to add input validation that rejects any incoming JSON containing a '__proto__' key before it reaches Axios.
  4. After the update is deployed, ask your developer to confirm the fix by checking the installed version with 'npm list axios'.

Axios < 1.13.5 — Denial of Service via __proto__ Key in mergeConfig (CVE-2026-25639)

high severity CVSS 7.5

Vulnerability Explanation

The mergeConfig function in axios (lib/core/mergeConfig.js) iterates over the merged keys of two config objects using Object.keys(). When a config object is created via JSON.parse() with a '__proto__' key, that key appears as an own enumerable property. During iteration, mergeMap['__proto__'] performs a prototype chain lookup and returns Object.prototype (a truthy object). The expression `mergeMap[prop] || mergeDeepProperties` then evaluates to Object.prototype itself, which is subsequently invoked as a function — throwing `TypeError: merge is not a function` and crashing the process. This code path is reachable through all axios HTTP method shortcuts (get, post, put, etc.) and getUri(), making the attack surface broad.

Root Cause

The mergeConfig function does not guard against reserved JavaScript property names (specifically '__proto__') appearing as own enumerable keys in config objects. JSON.parse() treats '__proto__' as a regular string key rather than a prototype accessor, bypassing the usual JavaScript prototype chain semantics and producing an object that confuses the mergeMap lookup logic.

Technical Impact

An unauthenticated remote attacker who can influence any JSON input that flows into an axios config object can crash the Node.js process with a single HTTP request. In applications without process supervisors or proper error boundaries, this results in complete service unavailability. The attack is trivially repeatable, enabling sustained denial of service. There is no data exfiltration or code execution risk — impact is limited to availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Severity Justification

Network-exploitable with no authentication or user interaction required, low attack complexity, and full availability impact. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H = 7.5. Exploitability is conditional on the application passing user-controlled JSON to axios config, which is a realistic but not universal pattern.

Affected Components

  • axios >= 1.0.0, < 1.13.5
  • axios < 0.30.3 (legacy 0.x branch)

Remediation Steps

  1. Upgrade axios to version 1.13.5 or later (1.13.6 is the current latest): `npm install axios@latest` or pin to `"axios": "^1.13.5"` in package.json.
  2. Run `npm audit` after upgrading to confirm no remaining advisories for axios.
  3. If an immediate upgrade is blocked (e.g., by peer dependency conflicts), add a server-side input sanitization step that rejects or strips any JSON payload containing a '__proto__' key before it is passed to axios config. See code example below.
  4. Review all code paths where user-supplied or externally-sourced JSON is parsed with JSON.parse() and the result is spread or passed directly into an axios request config, headers, or params object. These are the exploitable patterns.
  5. Add a global unhandledRejection / uncaughtException handler (or ensure your process manager auto-restarts) as a defense-in-depth measure, so a crash does not result in permanent downtime.

Verification Steps

  1. Run `npm list axios` and confirm the installed version is >= 1.13.5.
  2. Run `npm audit` and verify no CVE-2026-25639 advisory is reported.
  3. Optionally, run a controlled test: create a file test-proto.mjs with `import axios from 'axios'; const cfg = JSON.parse('{"__proto__": {"x": 1}}'); await axios.get('https://httpbin.org/get', cfg).catch(e => console.log('caught:', e.message));` — on 1.13.5+ this should not crash the process.

Code Examples (javascript)

Vulnerable
// Vulnerable: user-controlled JSON passed directly to axios config
app.post('/proxy', async (req, res) => {
  const userConfig = JSON.parse(req.body.config); // attacker sends {"__proto__": {"x": 1}}
  const response = await axios.get('https://api.example.com/data', userConfig); // CRASH
  res.json(response.data);
});
Fixed
// Option 1 (preferred): upgrade to axios >= 1.13.5 — no code change needed.

// Option 2 (if upgrade is blocked): sanitize config before passing to axios
function sanitizeAxiosConfig(config) {
  // Use JSON parse/stringify round-trip with a replacer to strip __proto__
  return JSON.parse(JSON.stringify(config, (key, value) => {
    if (key === '__proto__') return undefined;
    return value;
  }));
}

app.post('/proxy', async (req, res) => {
  const rawConfig = JSON.parse(req.body.config);
  const safeConfig = sanitizeAxiosConfig(rawConfig);
  const response = await axios.get('https://api.example.com/data', safeConfig);
  res.json(response.data);
});

Best Practices

  • Never pass raw, user-controlled JSON directly into library configuration objects without validation or sanitization.
  • Use a schema validation library (e.g., Zod, Joi) to define and enforce the exact shape of any config object derived from external input before it reaches internal libraries.
  • Pin direct dependencies to a minimum safe version using `>=` ranges in package.json and run `npm audit` in CI to catch newly disclosed CVEs automatically.
  • Ensure Node.js services run under a process manager (PM2, systemd, Kubernetes) with auto-restart enabled, so a crash does not result in permanent downtime while a fix is being deployed.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base