Your message dated Sun, 29 Mar 2026 19:33:58 +0000
with message-id <[email protected]>
and subject line Bug#1127907: fixed in node-axios 1.14.0+dfsg-1
has caused the Debian Bug report #1127907,
regarding node-axios: CVE-2026-25639
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127907
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-axios
Version: 1.13.2+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-axios.
CVE-2026-25639[0]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.13.5, the mergeConfig function in axios crashes with a
| TypeError when processing configuration objects containing __proto__
| as an own property. An attacker can trigger this by providing a
| malicious configuration object created via JSON.parse(), causing
| complete denial of service. This vulnerability is fixed in 1.13.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25639
https://www.cve.org/CVERecord?id=CVE-2026-25639
[1] https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433
[2]
https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-axios
Source-Version: 1.14.0+dfsg-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-axios, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-axios package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Mar 2026 21:09:03 +0200
Source: node-axios
Built-For-Profiles: nocheck
Architecture: source
Version: 1.14.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1127907
Changes:
node-axios (1.14.0+dfsg-1) unstable; urgency=medium
.
* New upstream version 1.14.0+dfsg (Closes: #1127907, CVE-2026-25639)
* Refresh patches for new upstream version
* Update extlinks: rollup-plugin-terser → @rollup/plugin-terser
Checksums-Sha1:
08c60271d6fa74751b80bc7db8d8f3c08299f316 2645 node-axios_1.14.0+dfsg-1.dsc
8f0aa325c77a8d529545d1b7d23524165da1cc01 290564
node-axios_1.14.0+dfsg.orig.tar.xz
e83f63ffcf0874ae9240255574ae422d22dcaf05 279796
node-axios_1.14.0+dfsg-1.debian.tar.xz
Checksums-Sha256:
b7d377fe7236f4b0135c50a80d1f7152477cf476e41513907dccff7219cdfabb 2645
node-axios_1.14.0+dfsg-1.dsc
9e48fd18f097db463de9406f7910ed699d718fccfac1f526b4537c7e555d4e9d 290564
node-axios_1.14.0+dfsg.orig.tar.xz
bd7eb45c09dfea98eba20cbf58debceb88c3842aced33fdf5df13f6c0d089fd8 279796
node-axios_1.14.0+dfsg-1.debian.tar.xz
Files:
b680e577f5bd14448a1c19b069d7f0a2 2645 javascript optional
node-axios_1.14.0+dfsg-1.dsc
146819b26bb486dafe5eefb014a6a398 290564 javascript optional
node-axios_1.14.0+dfsg.orig.tar.xz
bbb3d29cd1255cf588158f4293c0c0bb 279796 javascript optional
node-axios_1.14.0+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnJe5cACgkQ9tdMp8mZ
7ukgrA/9Fs4+UhOl3d2vajPuzYat1th+GGsrHgl6fF98ie1MZp3V2CZ/qdudL5Sx
c0nM1mOK6308dDZ8R/hNMDgsGDO8vLJydDIYATjjhIhk6C6QLWFZVfMuypgX+e51
H7XgvOL7nqd4NnsIlhYvK5mdLuNRzjGaY52H0yszTf4eJ2rys7snF7SPV0JanKgS
CPYxg8ERjKzid5Lxxa59mENiYt1+RHqCq8Eh5PDLqyc8c5nif1qsmp+0FfNLzA3s
vkjvDQCEvW2IGNqIcvkyyPN7skC7r/kQvLH9VfE9VmHkHNeYuCdBhpw3CXJxzL6B
tO7eWgsP9PHizj+B6WlkRpJPzNnltaJKAzaPyS+ZhqZHhX/3/N4uHTeCaVvEyi4N
ZBM9+8JpQ4/uuXPGYhlB/Am47lYb87kZ2MV5sZcIz3bCiRzZmfTWFganEvb33VHW
gCSzfh23s6C9y/AGRrj3bok1tt2K/EXqpNequqQK14+gF0gX0elhN47aneSz1mf4
nFrBPk63BiWSsimWdOpjj0f1WCw8lIJwFum5ZVlk5UT42NkA1C/Qnb0F+VGPayBt
w5vrea9qafMndZS7uT+AtZM4JrtqaQK/zuNNdO0kjezF5kcyO35GYeD8etSFTW2Q
0SJLq8iEyPFXarPfYukWI/fCuf1YA0RxUKgVRI/m9ftAuCMJ0rQ=
=zRdi
-----END PGP SIGNATURE-----
pgpirr6jeljm5.pgp
Description: PGP signature
--- End Message ---
