Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution through the mergeConfig code path in the request configuration handling. An attacker can influence request behavior by supplying a...

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing ...

CVE-2026-25639

Axios prior to v1.13.5 is vulnerable in mergeConfig when an own property named proto is present, causing a TypeError and potential denial of service via crafted configuration objects (e.g., JSON.parse()). The issue is fixed in v1.13.5; upgrading mitigates the vulnerability.

GHSA-43FC-JF86-J433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service via proto Key in mergeConfig Summary The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse, causing...

PT-2026-7150

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.13.5 Description The mergeConfig function in the Axios library is susceptible to crashing when processing configuration objects that include proto as an own property. An attacker can exploit this by sending a speciall...

PT-2020-9156 · Vega-Util · Vega-Util

Name of the Vulnerable Software and Affected Versions: vega-util versions prior to 1.13.1 Description: The issue allows manipulation of the object prototype. The vega.mergeConfig method within vega-util can be tricked into adding or modifying properties of the Object.prototype. Recommendations: F...