What is CVE-2026-25639?

CVE-2026-25639 is a denial-of-service vulnerability in Axios that occurs when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this vulnerability by providing a malicious configuration object, causing the application to crash. Update to version 1.13.5 or later to resolve this issue.

How does the Axios DoS vulnerability work?

The vulnerability exists in the `mergeConfig` function of Axios. When a configuration object with `__proto__` as an own property is processed, it leads to a TypeError due to an incorrect function call. This can be triggered by parsing a JSON object containing the malicious `__proto__` property.

How do I fix the denial-of-service vulnerability in Axios?

To fix the denial-of-service vulnerability, update Axios to version 1.13.5 or later using the command `npm update axios`. Additionally, avoid passing user-controlled JSON directly to Axios configuration methods and sanitize or validate the input before passing it to Axios.

NextGuard

Back to blog

CVSS 7.5CVE-2026-25639

Axios Vulnerable to DoS and Malware (CVE-2026-25639)

Q: What is the impact of the Axios denial-of-service vulnerability?

The impact of this vulnerability is a denial of service. Any application using Axios that processes user-controlled JSON and passes it to Axios configuration methods is vulnerable. The application will crash when processing the malicious payload, making it unavailable.

Two vulnerabilities affect Axios: CVE-2026-25639 is a DoS via prototype pollution, and GHSA-fw8c-xr5c-95f9 is a malware injection. Update Axios now!

Published on April 2, 2026

Axios, a popular HTTP client for Node.js, is vulnerable to a denial-of-service (DoS) attack (CVE-2026-25639) and a malware injection (GHSA-fw8c-xr5c-95f9). The DoS vulnerability can be triggered by a malicious configuration object, while the malware injects a remote access trojan. Patches are available to address these issues; update immediately to mitigate the risks.

CVE-2026-25639 has a CVSS score of 7.5, indicating high severity.

What is Axios?

Axios is a widely used, promise-based HTTP client for Node.js and browsers. It simplifies making HTTP requests and handling responses. Axios is commonly used in web applications and server-side applications to interact with APIs and other web services. To learn more, you can search all axios CVEs.

CVE-2026-25639: Denial of Service via proto Key

CVSS7.5

Affected versionsAny application using Axios that processes user-controlled JSON and passes it to Axios configuration methods is vulnerable. This affects Node.js servers using Axios for HTTP requests.

High severity: An attacker can crash the application.

The EPSS score is 0.049, indicating a low probability of exploitation.

The `mergeConfig` function in Axios crashes when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, leading to a denial of service.

How to fix CVE-2026-25639 in Axios

Patch immediately

1.Update Axios to version 1.13.5 or later.

Update Axios

npm update axios

Workaround: Avoid passing user-controlled JSON directly to Axios configuration methods. Sanitize or validate the input before passing it to Axios.

NextGuard automatically flags CVE-2026-25639 if Axios appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and remediate vulnerabilities in your nodejs projects. Use NextGuard to monitor your nodejs dependencies.

Compare Plans

Frequently asked questions

Axios users should update to the latest version to mitigate the risk of denial-of-service attacks and malware injection. Stay informed about the latest security threats and see all nodejs vulnerabilities. Regularly audit your dependencies to ensure a secure application environment.

What is Axios?

CVE-2026-25639: Denial of Service via __proto__ Key

How to fix CVE-2026-25639 in Axios

Stay ahead of nodejs vulnerabilities

Frequently asked questions

CVE-2026-25639: Denial of Service via proto Key