What is the CVSS score of CVE-2026-25639?

CVE-2026-25639 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-25639?

Axios library versions up to 0.30.3 contain a vulnerability that could allow attackers to bypass security checks, potentially compromising applications that handle sensitive data or transactions.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25639?

Yes, a public proof-of-concept exploit is available for CVE-2026-25639. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25639?

Within 24 hours: Inventory all applications and services using Axios and identify affected versions (≤0.30.3). Within 7 days: Upgrade Axios to version 0.31.0 or later across all development, staging, and production environments; prioritize customer-facing and data-handling applications first. Within 30 days: Complete full regression testing of upgraded applications and validate no functionality degradation occurred.

Node.js CVE-2026-25639

HIGH

Improper Check for Unusual or Exceptional Conditions (CWE-754)

2026-02-09 security-advisories@github.com

GHSA-43fc-jf86-j433

Node.js Denial Of Service

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 18:24 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 18:24 nvd

Patch available

CVE Published

Feb 09, 2026 - 21:15 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

AnalysisAI

Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft JSON payload with __proto__ property

Exploit

Send to axios mergeConfig function

Execution

Trigger TypeError exception

Impact

Application crashes causing denial of service

Access

Craft JSON payload with __proto__ property

Exploit

Send to axios mergeConfig function

Execution

Trigger TypeError exception

Impact

Application crashes causing denial of service

Vulnerability AssessmentAI

Exploitation	Application must use axios versions prior to 0.30.3 or 1.13.5 and process untrusted JSON configuration objects through mergeConfig function without input validation. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications and services using Axios and identify affected versions (≤0.30.3). …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

CVE-2026-25639 vulnerability details – vuln.today

Back

Node.js CVE-2026-25639

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code