Skip to content

fix: upgrade axios to 1.13.5 (CVE-2026-25639)#688

Open
Jac0xb wants to merge 2 commits intotronprotocol:masterfrom
Jac0xb:fix/axios-cve-2026-25639
Open

fix: upgrade axios to 1.13.5 (CVE-2026-25639)#688
Jac0xb wants to merge 2 commits intotronprotocol:masterfrom
Jac0xb:fix/axios-cve-2026-25639

Conversation

@Jac0xb
Copy link

@Jac0xb Jac0xb commented Feb 9, 2026
edited
Loading

Summary

  • Upgrades axios from 1.12.2 to 1.13.5 to fix CVE-2026-25639 (High severity)
  • Axios <= 1.13.4 is vulnerable to Denial of Service via __proto__ key in mergeConfig — an attacker can crash any application using axios by providing a malicious JSON-parsed configuration object
  • No breaking changes; this is a minor/patch-level security fix

References

Jac0xb added 2 commits February 9, 2026 15:35
@Jac0xb
fix: upgrade axios to 1.13.5 to address CVE-2026-25639
432ec0f 
Axios <= 1.13.4 is vulnerable to Denial of Service via __proto__ key
in mergeConfig. An attacker can crash any application using axios by
providing a malicious configuration object created via JSON.parse()
containing __proto__ as an own property.

See: GHSA-43fc-jf86-j433
@Jac0xb
chore: update package-lock.json for axios 1.13.5
06bb284
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jac0xb