Critical DoS Vulnerability in Axios HTTP Library Exposes Node.js Servers to Crashes
A high-severity security flaw (CVE-2026-25639) has been identified in Axios, a widely used HTTP client library for Node.js, enabling attackers to trigger denial-of-service (DoS) attacks by crashing servers. The vulnerability affects all versions up to and including 1.13.4 and stems from improper handling of configuration objects in the mergeConfig function.
The flaw allows attackers to exploit Axios by sending a maliciously crafted JSON payload such as {"__proto__": {"x": 1}} to any endpoint that processes user input into Axios configurations. When the library attempts to merge this payload, it incorrectly treats JavaScript’s Object.prototype as a callable function, causing an immediate server crash. Unlike typical prototype pollution attacks, this vulnerability does not corrupt application behavior incrementally but instead disrupts availability instantly.
The issue resides in lines 98–101 of lib/core/mergeConfig.js, where the code fails to validate property names before processing. Any Node.js application that accepts user-controlled JSON and passes it to Axios methods (e.g., get(), post()) is at risk. Given Axios’s widespread adoption in backend services for API calls, the impact is far-reaching, with attacks requiring no authentication and minimal technical expertise.
The Common Vulnerability Scoring System (CVSS) rates this flaw as High severity (7.5/10), citing its network-based attack vector, low complexity, and lack of required privileges or user interaction. While the vulnerability does not compromise data confidentiality or integrity, it fully disrupts service availability.
Security researcher hackerman70000 discovered and reported the issue. The Axios team has released version 1.13.5, which patches the flaw by adding proper checks for unusual property names in configuration objects. Developers are advised to upgrade immediately and audit their codebases for instances where user input flows into Axios configurations.
Source: https://gbhackers.com/axios-vulnerability-allows-attackers-to-trigger-dos/
Axios cybersecurity rating report: https://www.rankiteo.com/company/axios
"id": "AXI1770717293",
"linkid": "axios",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All Node.js applications using '
'Axios for HTTP requests',
'industry': 'Technology/Software Development',
'name': 'Axios',
'type': 'Software Library'}],
'attack_vector': 'Network-based',
'customer_advisories': 'Developers advised to upgrade immediately and audit '
'their codebases.',
'description': 'A high-severity security flaw (CVE-2026-25639) has been '
'identified in Axios, a widely used HTTP client library for '
'Node.js, enabling attackers to trigger denial-of-service '
'(DoS) attacks by crashing servers. The vulnerability affects '
'all versions up to and including 1.13.4 and stems from '
'improper handling of configuration objects in the '
'`mergeConfig` function. Attackers can exploit this by sending '
'a maliciously crafted JSON payload (e.g., `{"__proto__": '
'{"x": 1}}`) to any endpoint processing user input into Axios '
'configurations, causing an immediate server crash due to '
'incorrect treatment of JavaScript’s `Object.prototype` as a '
'callable function.',
'impact': {'downtime': 'Immediate server crash',
'operational_impact': 'Full disruption of service availability',
'systems_affected': 'Node.js servers using Axios versions up to '
'and including 1.13.4'},
'investigation_status': 'Vulnerability patched',
'lessons_learned': 'Importance of validating property names in configuration '
'objects to prevent prototype pollution and DoS '
'vulnerabilities. Need for immediate patching of critical '
'vulnerabilities in widely used libraries.',
'post_incident_analysis': {'corrective_actions': 'Added proper checks for '
'unusual property names in '
'configuration objects '
'(patch in version 1.13.5).',
'root_causes': 'Improper handling of configuration '
'objects in the `mergeConfig` '
'function, leading to prototype '
'pollution and server crashes.'},
'recommendations': 'Upgrade Axios to version 1.13.5 or later. Audit codebases '
'for instances where user input flows into Axios '
'configurations. Implement input validation and '
'sanitization for JSON payloads.',
'references': [{'source': 'Security Researcher (hackerman70000)'}],
'response': {'containment_measures': 'Upgrade to Axios version 1.13.5',
'remediation_measures': 'Patch released (version 1.13.5) with '
'proper checks for unusual property '
'names in configuration objects'},
'title': 'Critical DoS Vulnerability in Axios HTTP Library Exposes Node.js '
'Servers to Crashes',
'type': 'Denial-of-Service (DoS)',
'vulnerability_exploited': 'Improper handling of configuration objects in the '
'`mergeConfig` function (CVE-2026-25639)'}