[Cycode] Fix for vulnerable manifest file dependency - axios updated to version 1.13.2

[cycode-security]

Cycode Vulnerable Dependencies Update

This pull request updates the following manifest file:

File Path	Number of packages to update
package.json	1

📂 package.json

1 package will be updated to resolve vulnerabilities:

Package Name	Current Version	Updated Version
axios	1.7.7	1.13.2

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	High
Issue	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig: CVE-2026-25639
Ecosystem	NPM
Dependency	axios
Dependency Paths	axios 1.13.2
Direct Dependency	Yes
Development Dependency	No
Upgrade	1.13.5

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.