Source: node-axios Version: 1.13.2+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-axios. CVE-2026-25639[0]: | Axios is a promise based HTTP client for the browser and Node.js. | Prior to 1.13.5, the mergeConfig function in axios crashes with a | TypeError when processing configuration objects containing __proto__ | as an own property. An attacker can trigger this by providing a | malicious configuration object created via JSON.parse(), causing | complete denial of service. This vulnerability is fixed in 1.13.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25639 https://www.cve.org/CVERecord?id=CVE-2026-25639 [1] https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433 [2] https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
