High-Severity Axios Flaw Crashes Node.js Servers

EXECUTIVE SUMMARY:

A high-severity vulnerability tracked as CVE-2026-25639 in the widely used Axios HTTP client for Node.js and browser environments. The flaw occurs within Axios’s internal mergeConfig function, which is responsible for combining multiple configuration objects. When this function processes a configuration object containing __proto__ as an own property, it crashes with a TypeError, leading to an abrupt failure of the application. An attacker can exploit this behavior by supplying a crafted configuration—typically derived from user input parsed with JSON.parse()—that triggers the unsafe code path. This results in a denial-of-service condition that can crash the entire Node.js process hosting the application. The issue has received a CVSS v3.1 base score of 7.5 (High), indicating a serious impact on availability. Any application that passes untrusted JSON into Axios configuration methods on affected versions is at risk.