Cyber Resilience

CVE-2026-25639

HighPublic PoCUpdated

Published: 09 February 2026

Published
09 February 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0013 31.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25639 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Axios Axios. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25639 is a denial-of-service vulnerability in Axios, a promise-based HTTP client used in browsers and Node.js environments. The issue affects versions prior to 0.30.3 and 1.13.5, where the mergeConfig function throws a TypeError when processing configuration objects that include __proto__ as an own property. This flaw, classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker over the network can exploit this vulnerability with low complexity and no user interaction by supplying a malicious configuration object, typically crafted via JSON.parse(). If an application passes such an object to axios's mergeConfig, it triggers a crash, resulting in complete denial of service for the affected application instance.

Mitigation is available through upgrading to Axios versions 0.30.3 or 1.13.5, which include fixes via specific commits and pull requests documented on GitHub, such as commit 28c721588c7a77e7503d0a434e016f852c597b57, commit d7ff1409c68168d3057fc3891f911b2b92616f9e, PR #7369, PR #7388, and the v0.30.3 release.

EU & UK References

Vulnerability details

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can…

more

trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated DoS via crafted config object triggering unhandled TypeError in Axios mergeConfig (CWE-754), directly matching application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42039Same product: Axios Axios
CVE-2026-42033Same product: Axios Axios
CVE-2024-57965Same product: Axios Axios
CVE-2026-42035Same product: Axios Axios
CVE-2026-40175Same product: Axios Axios
CVE-2026-42264Same product: Axios Axios
CVE-2026-42043Same product: Axios Axios
CVE-2025-62718Same product: Axios Axios
CVE-2026-42044Same product: Axios Axios
CVE-2026-42038Same product: Axios Axios

Affected Assets

axios
axios
≤ 0.30.3 · 1.0.0 — 1.13.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses this CVE by requiring timely patching of vulnerable Axios versions to 0.30.3 or 1.13.5, preventing the TypeError crash in mergeConfig.

prevent

Information input validation ensures applications validate JSON-parsed configuration objects before passing to Axios, blocking malicious __proto__ properties that trigger the DoS.

prevent

Error handling requires graceful management of exceptional conditions like __proto__ properties in config objects, mitigating the crash but not fully resolving the underlying Axios flaw.

References