## axios v1 Security Update: Critical DoS Vulnerability in `mergeConfig` via `__proto__` Key
A critical security vulnerability in the widely-used axios HTTP client library has been disclosed, exposing countless applications to potential Denial of Service (DoS) attacks. The flaw, tracked as CVE-2026-25639, resides in the library's `mergeConfig` function, which crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. This allows a remote attacker to crash the Node.js process by sending a specially crafted request, effectively halting service.

The vulnerability is present in versions prior to axios v1.13.2. The security advisory details that the crash is triggered when an attacker can control the configuration object passed to `mergeConfig`. This is a significant risk for any server-side application using axios to handle incoming HTTP requests, as a malicious payload could be injected through request headers or body parameters. The update to version 1.13.2 patches this issue.

This security alert, originating from a GitHub repository's automated dependency update (Renovatebot), underscores the pervasive risk of supply chain attacks in modern software development. The axios library is a foundational dependency for millions of Node.js and frontend projects. While the immediate fix is a version bump, the incident highlights the critical need for continuous dependency monitoring and the latent threat of prototype pollution attacks within common utility functions. Organizations must prioritize applying this patch to mitigate service disruption risks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, nodejs, supply-chain, CVE-2026-25639
- **Credibility**: unverified
- **Published**: 2026-04-08 21:27:21
- **ID**: 55678
- **URL**: https://whisperx.ai/en/intel/55678