High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2026-25639
High
Low
Medium
High
Critical
7.5
CVSS Score
Vulnerability Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Known Affected Software
113 configuration(s) from 1 vendor(s)
axios
Version:
0.27.1
CPE:
cpe:2.3:a:axios:axios:0.27.1:*:*:*:*:node.js:*:*
axios
Version:
1.7.3
CPE:
cpe:2.3:a:axios:axios:1.7.3:*:*:*:*:node.js:*:*
axios
Version:
0.15.1
CPE:
cpe:2.3:a:axios:axios:0.15.1:*:*:*:*:node.js:*:*
axios
Version:
0.11.1
CPE:
cpe:2.3:a:axios:axios:0.11.1:*:*:*:*:node.js:*:*
axios
Version:
0.15.2
CPE:
cpe:2.3:a:axios:axios:0.15.2:*:*:*:*:node.js:*:*
axios
Version:
0.23.0
CPE:
cpe:2.3:a:axios:axios:0.23.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.0
CPE:
cpe:2.3:a:axios:axios:1.6.0:*:*:*:*:node.js:*:*
axios
Version:
0.28.1
CPE:
cpe:2.3:a:axios:axios:0.28.1:*:*:*:*:node.js:*:*
axios
Version:
0.5.2
CPE:
cpe:2.3:a:axios:axios:0.5.2:*:*:*:*:node.js:*:*
axios
Version:
1.9.0
CPE:
cpe:2.3:a:axios:axios:1.9.0:*:*:*:*:node.js:*:*
axios
Version:
1.3.1
CPE:
cpe:2.3:a:axios:axios:1.3.1:*:*:*:*:node.js:*:*
axios
Version:
1.7.4
CPE:
cpe:2.3:a:axios:axios:1.7.4:*:*:*:*:node.js:*:*
axios
Version:
0.5.1
CPE:
cpe:2.3:a:axios:axios:0.5.1:*:*:*:*:node.js:*:*
axios
Version:
1.7.8
CPE:
cpe:2.3:a:axios:axios:1.7.8:*:*:*:*:node.js:*:*
axios
Version:
0.30.1
CPE:
cpe:2.3:a:axios:axios:0.30.1:*:*:*:*:node.js:*:*
axios
Version:
0.27.0
CPE:
cpe:2.3:a:axios:axios:0.27.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.3
CPE:
cpe:2.3:a:axios:axios:1.6.3:*:*:*:*:node.js:*:*
axios
Version:
0.3.1
CPE:
cpe:2.3:a:axios:axios:0.3.1:*:*:*:*:node.js:*:*
axios
Version:
0.2.2
CPE:
cpe:2.3:a:axios:axios:0.2.2:*:*:*:*:node.js:*:*
axios
Version:
0.19.2
CPE:
cpe:2.3:a:axios:axios:0.19.2:*:*:*:*:node.js:*:*
axios
Version:
0.19.0
CPE:
cpe:2.3:a:axios:axios:0.19.0:-:*:*:*:node.js:*:*
axios
Version:
0.6.0
CPE:
cpe:2.3:a:axios:axios:0.6.0:*:*:*:*:node.js:*:*
axios
Version:
1.3.0
CPE:
cpe:2.3:a:axios:axios:1.3.0:*:*:*:*:node.js:*:*
axios
Version:
1.7.1
CPE:
cpe:2.3:a:axios:axios:1.7.1:*:*:*:*:node.js:*:*
axios
Version:
0.2.0
CPE:
cpe:2.3:a:axios:axios:0.2.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.2
CPE:
cpe:2.3:a:axios:axios:1.6.2:*:*:*:*:node.js:*:*
axios
Version:
1.8.3
CPE:
cpe:2.3:a:axios:axios:1.8.3:*:*:*:*:node.js:*:*
axios
Version:
0.8.1
CPE:
cpe:2.3:a:axios:axios:0.8.1:*:*:*:*:node.js:*:*
axios
Version:
0.4.0
CPE:
cpe:2.3:a:axios:axios:0.4.0:*:*:*:*:node.js:*:*
axios
Version:
0.15.3
CPE:
cpe:2.3:a:axios:axios:0.15.3:*:*:*:*:node.js:*:*
axios
Version:
1.3.3
CPE:
cpe:2.3:a:axios:axios:1.3.3:*:*:*:*:node.js:*:*
axios
Version:
1.4.0
CPE:
cpe:2.3:a:axios:axios:1.4.0:*:*:*:*:node.js:*:*
axios
Version:
1.2.3
CPE:
cpe:2.3:a:axios:axios:1.2.3:*:*:*:*:node.js:*:*
axios
Version:
1.7.7
CPE:
cpe:2.3:a:axios:axios:1.7.7:*:*:*:*:node.js:*:*
axios
Version:
0.13.1
CPE:
cpe:2.3:a:axios:axios:0.13.1:*:*:*:*:node.js:*:*
axios
Version:
1.7.9
CPE:
cpe:2.3:a:axios:axios:1.7.9:*:*:*:*:node.js:*:*
axios
Version:
0.21.1
CPE:
cpe:2.3:a:axios:axios:0.21.1:*:*:*:*:node.js:*:*
axios
Version:
1.3.4
CPE:
cpe:2.3:a:axios:axios:1.3.4:*:*:*:*:node.js:*:*
axios
Version:
1.7.5
CPE:
cpe:2.3:a:axios:axios:1.7.5:*:*:*:*:node.js:*:*
axios
Version:
0.5.0
CPE:
cpe:2.3:a:axios:axios:0.5.0:*:*:*:*:node.js:*:*
axios
Version:
0.10.0
CPE:
cpe:2.3:a:axios:axios:0.10.0:*:*:*:*:node.js:*:*
axios
Version:
1.1.0
CPE:
cpe:2.3:a:axios:axios:1.1.0:*:*:*:*:node.js:*:*
axios
Version:
0.18.1
CPE:
cpe:2.3:a:axios:axios:0.18.1:*:*:*:*:node.js:*:*
axios
Version:
0.18.0
CPE:
cpe:2.3:a:axios:axios:0.18.0:*:*:*:*:node.js:*:*
axios
Version:
0.16.1
CPE:
cpe:2.3:a:axios:axios:0.16.1:*:*:*:*:node.js:*:*
axios
Version:
0.25.0
CPE:
cpe:2.3:a:axios:axios:0.25.0:*:*:*:*:node.js:*:*
axios
Version:
1.2.4
CPE:
cpe:2.3:a:axios:axios:1.2.4:*:*:*:*:node.js:*:*
axios
Version:
0.22.0
CPE:
cpe:2.3:a:axios:axios:0.22.0:*:*:*:*:node.js:*:*
axios
Version:
0.24.0
CPE:
cpe:2.3:a:axios:axios:0.24.0:*:*:*:*:node.js:*:*
axios
Version:
1.2.0
CPE:
cpe:2.3:a:axios:axios:1.2.0:-:*:*:*:node.js:*:*
axios
Version:
1.3.6
CPE:
cpe:2.3:a:axios:axios:1.3.6:*:*:*:*:node.js:*:*
axios
Version:
0.8.0
CPE:
cpe:2.3:a:axios:axios:0.8.0:*:*:*:*:node.js:*:*
axios
Version:
1.8.1
CPE:
cpe:2.3:a:axios:axios:1.8.1:*:*:*:*:node.js:*:*
axios
Version:
1.1.3
CPE:
cpe:2.3:a:axios:axios:1.1.3:*:*:*:*:node.js:*:*
axios
Version:
1.8.4
CPE:
cpe:2.3:a:axios:axios:1.8.4:*:*:*:*:node.js:*:*
axios
Version:
0.21.4
CPE:
cpe:2.3:a:axios:axios:0.21.4:*:*:*:*:node.js:*:*
axios
Version:
1.8.0
CPE:
cpe:2.3:a:axios:axios:1.8.0:*:*:*:*:node.js:*:*
axios
Version:
0.17.0
CPE:
cpe:2.3:a:axios:axios:0.17.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.8
CPE:
cpe:2.3:a:axios:axios:1.6.8:*:*:*:*:node.js:*:*
axios
Version:
1.7.2
CPE:
cpe:2.3:a:axios:axios:1.7.2:*:*:*:*:node.js:*:*
axios
Version:
0.2.1
CPE:
cpe:2.3:a:axios:axios:0.2.1:*:*:*:*:node.js:*:*
axios
Version:
0.28.0
CPE:
cpe:2.3:a:axios:axios:0.28.0:*:*:*:*:node.js:*:*
axios
Version:
0.15.0
CPE:
cpe:2.3:a:axios:axios:0.15.0:*:*:*:*:node.js:*:*
axios
Version:
0.1.0
CPE:
cpe:2.3:a:axios:axios:0.1.0:*:*:*:*:node.js:*:*
axios
Version:
0.21.0
CPE:
cpe:2.3:a:axios:axios:0.21.0:*:*:*:*:node.js:*:*
axios
Version:
1.0.0
CPE:
cpe:2.3:a:axios:axios:1.0.0:alpha1:*:*:*:node.js:*:*
axios
Version:
0.9.0
CPE:
cpe:2.3:a:axios:axios:0.9.0:*:*:*:*:node.js:*:*
axios
Version:
0.14.0
CPE:
cpe:2.3:a:axios:axios:0.14.0:*:*:*:*:node.js:*:*
axios
Version:
0.9.1
CPE:
cpe:2.3:a:axios:axios:0.9.1:*:*:*:*:node.js:*:*
axios
Version:
1.11.0
CPE:
cpe:2.3:a:axios:axios:1.11.0:*:*:*:*:node.js:*:*
axios
Version:
0.4.1
CPE:
cpe:2.3:a:axios:axios:0.4.1:*:*:*:*:node.js:*:*
axios
Version:
1.10.0
CPE:
cpe:2.3:a:axios:axios:1.10.0:*:*:*:*:node.js:*:*
axios
Version:
0.20.0
CPE:
cpe:2.3:a:axios:axios:0.20.0:*:*:*:*:node.js:*:*
axios
Version:
1.5.0
CPE:
cpe:2.3:a:axios:axios:1.5.0:*:*:*:*:node.js:*:*
axios
Version:
0.7.0
CPE:
cpe:2.3:a:axios:axios:0.7.0:*:*:*:*:node.js:*:*
axios
Version:
1.3.5
CPE:
cpe:2.3:a:axios:axios:1.3.5:*:*:*:*:node.js:*:*
axios
Version:
1.2.2
CPE:
cpe:2.3:a:axios:axios:1.2.2:*:*:*:*:node.js:*:*
axios
Version:
1.6.4
CPE:
cpe:2.3:a:axios:axios:1.6.4:*:*:*:*:node.js:*:*
axios
Version:
1.1.1
CPE:
cpe:2.3:a:axios:axios:1.1.1:*:*:*:*:node.js:*:*
axios
Version:
0.12.0
CPE:
cpe:2.3:a:axios:axios:0.12.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.1
CPE:
cpe:2.3:a:axios:axios:1.6.1:*:*:*:*:node.js:*:*
axios
Version:
1.2.1
CPE:
cpe:2.3:a:axios:axios:1.2.1:*:*:*:*:node.js:*:*
axios
Version:
0.13.0
CPE:
cpe:2.3:a:axios:axios:0.13.0:*:*:*:*:node.js:*:*
axios
Version:
1.6.6
CPE:
cpe:2.3:a:axios:axios:1.6.6:*:*:*:*:node.js:*:*
axios
Version:
0.26.0
CPE:
cpe:2.3:a:axios:axios:0.26.0:*:*:*:*:node.js:*:*
axios
Version:
1.12.0
CPE:
cpe:2.3:a:axios:axios:1.12.0:*:*:*:*:node.js:*:*
axios
Version:
1.12.2
CPE:
cpe:2.3:a:axios:axios:1.12.2:*:*:*:*:node.js:*:*
axios
Version:
1.3.2
CPE:
cpe:2.3:a:axios:axios:1.3.2:*:*:*:*:node.js:*:*
axios
Version:
1.6.5
CPE:
cpe:2.3:a:axios:axios:1.6.5:*:*:*:*:node.js:*:*
axios
Version:
0.30.0
CPE:
cpe:2.3:a:axios:axios:0.30.0:*:*:*:*:node.js:*:*
axios
Version:
0.21.2
CPE:
cpe:2.3:a:axios:axios:0.21.2:*:*:*:*:node.js:*:*
axios
Version:
1.7.0
CPE:
cpe:2.3:a:axios:axios:1.7.0:-:*:*:*:node.js:*:*
axios
Version:
1.1.2
CPE:
cpe:2.3:a:axios:axios:1.1.2:*:*:*:*:node.js:*:*
axios
Version:
0.27.2
CPE:
cpe:2.3:a:axios:axios:0.27.2:*:*:*:*:node.js:*:*
axios
Version:
0.19.1
CPE:
cpe:2.3:a:axios:axios:0.19.1:*:*:*:*:node.js:*:*
axios
Version:
1.12.1
CPE:
cpe:2.3:a:axios:axios:1.12.1:*:*:*:*:node.js:*:*
axios
Version:
1.8.2
CPE:
cpe:2.3:a:axios:axios:1.8.2:*:*:*:*:node.js:*:*
axios
Version:
1.6.7
CPE:
cpe:2.3:a:axios:axios:1.6.7:*:*:*:*:node.js:*:*
axios
Version:
0.26.1
CPE:
cpe:2.3:a:axios:axios:0.26.1:*:*:*:*:node.js:*:*
axios
Version:
0.17.1
CPE:
cpe:2.3:a:axios:axios:0.17.1:*:*:*:*:node.js:*:*
axios
Version:
1.2.6
CPE:
cpe:2.3:a:axios:axios:1.2.6:*:*:*:*:node.js:*:*
axios
Version:
0.16.2
CPE:
cpe:2.3:a:axios:axios:0.16.2:*:*:*:*:node.js:*:*
axios
Version:
0.4.2
CPE:
cpe:2.3:a:axios:axios:0.4.2:*:*:*:*:node.js:*:*
axios
Version:
0.29.0
CPE:
cpe:2.3:a:axios:axios:0.29.0:*:*:*:*:node.js:*:*
axios
Version:
1.7.6
CPE:
cpe:2.3:a:axios:axios:1.7.6:*:*:*:*:node.js:*:*
axios
Version:
0.5.4
CPE:
cpe:2.3:a:axios:axios:0.5.4:*:*:*:*:node.js:*:*
axios
Version:
0.3.0
CPE:
cpe:2.3:a:axios:axios:0.3.0:*:*:*:*:node.js:*:*
axios
Version:
0.21.3
CPE:
cpe:2.3:a:axios:axios:0.21.3:*:*:*:*:node.js:*:*
axios
Version:
1.5.1
CPE:
cpe:2.3:a:axios:axios:1.5.1:*:*:*:*:node.js:*:*
axios
Version:
0.5.3
CPE:
cpe:2.3:a:axios:axios:0.5.3:*:*:*:*:node.js:*:*
axios
Version:
1.2.5
CPE:
cpe:2.3:a:axios:axios:1.2.5:*:*:*:*:node.js:*:*
axios
Version:
0.16.0
CPE:
cpe:2.3:a:axios:axios:0.16.0:*:*:*:*:node.js:*:*
axios
Version:
0.11.0
CPE:
cpe:2.3:a:axios:axios:0.11.0:*:*:*:*:node.js:*:*
This vulnerability affects 113 software configuration(s). Ensure you patch all affected systems.
Red Hat
RHSA-2026:2694
RHSA-2026:2694: cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
Severity
Unknown
Released
Feb 12, 2026
Security Update
References & Resources
-
https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57security-advisories@github.com Patch
-
https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9esecurity-advisories@github.com
-
https://github.com/axios/axios/pull/7369security-advisories@github.com
-
https://github.com/axios/axios/pull/7388security-advisories@github.com
-
https://github.com/axios/axios/releases/tag/v0.30.3security-advisories@github.com
-
https://github.com/axios/axios/releases/tag/v1.13.5security-advisories@github.com Product Release Notes
-
https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433security-advisories@github.com Exploit Vendor Advisory
Severity Details
7.5
out of 10.0
High
Weakness Type (CWE)
CWE-754
Improper Check for Unusual or Exceptional Conditions
- Description
- The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
- Exploit Likelihood
- Medium
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- February 09, 2026
