Axios Denial-of-Service Vulnerability in mergeConfig Function

A denial-of-service vulnerability has been identified in Axios versions prior to 1.13.5. The issue arises in the mergeConfig function, which crashes with a TypeError when handling configuration objects that contain __proto__ as an own property. This vulnerability can be exploited by providing a malicious configuration object created with JSON.parse(), leading to a complete application crash. The problem does not involve prototype pollution, as the application fails before any such assignment can occur.

Impact

Exploitation of this vulnerability causes a complete application crash, disrupting any ongoing processes or services that rely on the affected Axios instance.

Reproduction

To reproduce this vulnerability, create a JavaScript file and include code that imports Axios. Then, parse a JSON string that includes a __proto__ key with a nested object as its value. Pass this parsed object as a configuration option to an Axios HTTP request method, such as GET. When the request is executed, Axios will attempt to merge the configuration, including the __proto__ property, which will trigger the TypeError and cause the application to crash.

Remediation

Users can upgrade to Axios version 1.13.5 or later, where this vulnerability has been fixed.