A high-severity vulnerability in Axios, tracked as CVE-2026-25639 and rated CVSS 7.5, can crash Node[.]js servers that use the library. According to GHSA-43fc-jf86-j433, the flaw lies in Axios’ mergeConfig function, which crashes with a TypeError when it encounters an own property named __proto__ in a configuration object. A standard attack involves sending a malicious JSON payload such as {"__proto__": {"x": 1}}, which causes the library to attempt a merge operation on something that isn’t a function.
The advisory warns that an attacker can trigger a denial of service by providing a crafted configuration object via JSON[.]parse(), potentially taking the Node[.]js process hosting the application offline. The maintainers have released fixes in Axios version 1.13.4, with 1.13.5 addressing the crash to restore stability; organisations using Node[.]js servers with axios are urged to upgrade promptly.