Listen to this Post
How CVE-2026-25639 works:
This CVE affects axios versions 1.13.3 and 1.13.4. When a user passes a config object containing `”__proto__”` as a key (e.g., {"__proto__": {"x": 1}}), axios’s `mergeConfig` function iterates over the config’s own keys. The `mergeMap` dictionary attempts to resolve the key "__proto__", which walks the prototype chain and returns `Object.prototype` (a non-function). axios then tries to call this value as a function, causing a `TypeError` and crashing the Node.js process. The fix in v1.13.5 added a block that rejects __proto__, constructor, and `prototype` as config keys, plus a `hasOwnProp` guard on `mergeMap` access. However, this fix does NOT address other prototype pollution gadgets where a polluted `Object.prototype` injects keys like `parseReviver` or `transport` from a separate co-dependency (e.g., lodash <4.17.21). Those remain exploitable up to 1.13.6.
dailycve form:
Platform: Node.js
Version: 1.13.3-1.13.4
Vulnerability: Prototype pollution crash
Severity: Medium
date: 2024-04-15 (approx)
Prediction: Already patched (1.13.5)
What Undercode Say:
Analytics – the following bash commands test for the prototype pollution gadget in a vulnerable axios process:
Check if axios version is affected
npm list axios | grep -E "1.13.[0-4]"
Simulate pollution via lodash (if used)
node -e "const _ = require('lodash'); _.merge({}, JSON.parse('{\"<strong>proto</strong>\":{\"parseReviver\":()=>{}}}')); const axios = require('axios'); console.log(axios.defaults.parseReviver);"
Exploit:
An attacker who can inject prototype pollution into the same Node.js process (e.g., via malicious JSON merge in lodash) can activate gadgets:
– parseReviver – intercept and modify all JSON responses (exfiltrate data, escalate privileges).
– transport – hijack every HTTP request, stealing credentials, headers, and body.
– transformRequest/Response – run arbitrary functions on request/response data.
Proof-of-concept code (client-side pollution):
Object.prototype.parseReviver = (key, val) => {
console.log(<code>[bash] ${key}=${JSON.stringify(val)}</code>);
return key === 'admin' ? true : val;
};
// Any axios.get() will now tamper responses.
Protection from this CVE:
- Upgrade lodash to >=4.17.21 and all prototype‑pollution‑prone dependencies.
- Apply the suggested fixes in axios (not yet released):
– Use `hasOwnProperty` before reading `parseReviver` in lib/defaults/index.js.
– Add `utils.hasOwnProp(config2, prop)` guard in `mergeConfig.js` line 102.
– Check `hasOwnProp` on `config.transport` in lib/adapters/http.js.
3. Freeze `Object.prototype` early in application startup:
Object.freeze(Object.prototype);
4. Use `–disable-proto` flag in Node.js (experimental).
Impact:
- Confidentiality: Credentials (Basic auth, headers) and full response data exfiltrated.
- Integrity: JSON responses silently tampered (e.g., role → admin, balance → 999999).
- Availability: Not directly impacted, but crash possible via proto payload.
- Scope: Any Node.js application using axios 0.19.0–1.13.6 alongside a prototype‑pollution‑vulnerable library (lodash, merge, etc.) is fully compromised.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
