Skip to content

fix(deps): update dependency axios to v1.13.5 [security] #5055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
renovate merged 1 commit into from
Feb 10, 2026
Merged

fix(deps): update dependency axios to v1.13.5 [security] #5055

renovate merged 1 commit into from
Feb 10, 2026
+10 −10

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 10, 2026

This PR contains the following updates:

Package Change Age Confidence
axios (source) 1.13.41.13.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-25639

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

  1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
  2. Object.keys() includes '__proto__' in the iteration
  3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
  4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
  5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

  • Axios._request() at lib/core/Axios.js:75
  • Axios.getUri() at lib/core/Axios.js:201
  • All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

  1. Clone axios repository or npm install axios
  2. Create file poc.mjs with the code above
  3. Run: node poc.mjs
  4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test Config Result
Normal config {"timeout": 5000} SUCCESS
Malicious config JSON.parse('{"__proto__": {"x": 1}}') CRASH
Nested object {"headers": {"X-Test": "value"}} SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

  • Node.js servers using axios for HTTP requests
  • Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Release Notes

axios/axios (axios)

v1.13.5

Compare Source

Release 1.13.5

Highlights
  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #​7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #​7368)
Changes
Security
  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #​7369)
Fixes
  • Fix/5657. (PR #​7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #​7368)
Features / Improvements
  • Add input validation to isAbsoluteURL. (PR #​7326)
  • Refactor: bump minor package versions. (PR #​7356)
Documentation
  • Clarify object-check comment. (PR #​7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #​7371)
CI / Maintenance
  • Chore: fix issues with YAML. (PR #​7355)
  • CI: update workflow YAMLs. (PR #​7372)
  • CI: fix run condition. (PR #​7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #​7360)
  • Chore(release): prepare release 1.13.5. (PR #​7379)
New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner February 10, 2026 05:56
@renovate renovate bot added bot dependencies Pull requests that update a dependency file labels Feb 10, 2026
@renovate renovate bot enabled auto-merge (squash) February 10, 2026 05:56
@renovate renovate bot merged commit 95bd055 into master Feb 10, 2026
2 checks passed
@renovate renovate bot deleted the renovate/npm-axios-vulnerability branch February 10, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

bot dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants