CVE-2026-25639
Published: 09 February 2026
Summary
CVE-2026-25639 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Axios Axios. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25639 is a denial-of-service vulnerability in Axios, a promise-based HTTP client used in browsers and Node.js environments. The issue affects versions prior to 0.30.3 and 1.13.5, where the mergeConfig function throws a TypeError when processing configuration objects that include __proto__ as an own property. This flaw, classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker over the network can exploit this vulnerability with low complexity and no user interaction by supplying a malicious configuration object, typically crafted via JSON.parse(). If an application passes such an object to axios's mergeConfig, it triggers a crash, resulting in complete denial of service for the affected application instance.
Mitigation is available through upgrading to Axios versions 0.30.3 or 1.13.5, which include fixes via specific commits and pull requests documented on GitHub, such as commit 28c721588c7a77e7503d0a434e016f852c597b57, commit d7ff1409c68168d3057fc3891f911b2b92616f9e, PR #7369, PR #7388, and the v0.30.3 release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6850
Vulnerability details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can…
more
trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated DoS via crafted config object triggering unhandled TypeError in Axios mergeConfig (CWE-754), directly matching application/system exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses this CVE by requiring timely patching of vulnerable Axios versions to 0.30.3 or 1.13.5, preventing the TypeError crash in mergeConfig.
Information input validation ensures applications validate JSON-parsed configuration objects before passing to Axios, blocking malicious __proto__ properties that trigger the DoS.
Error handling requires graceful management of exceptional conditions like __proto__ properties in config objects, mitigating the crash but not fully resolving the underlying Axios flaw.