🚨 [security] Update axios 1.13.2 → 1.13.5 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ axios (1.13.2 → 1.13.5) · Repo · Changelog

Security Advisories 🚨

🚨 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";
const maliciousConfig = JSON.parse('{"proto": {"x": 1}}');

await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Release Notes

1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @sachin11063 (first contribution — PR #7323)
• @asmitha-16 (first contribution — PR #7326)

Full Changelog: v1.13.4...v1.13.5

1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release
  • Cleaned up interceptor test files
  • Improved workflow configurations

Infrastructure & CI/CD

• refactor: ci and build (#7340) (8ff6c19)

  • Major refactoring of CI/CD workflows
  • Consolidated workflow files for better maintainability
  • Added mise configuration for the development environment
  • Improved sponsor block update automation
  • Enhanced issue and PR templates
  • Added automatic release notes generation
  • Implemented workflow cancellation for concurrent runs

• chore: codegen and some updates to workflows (76cf77b)

  • Code generation improvements
  • Workflow optimisations

Migration Notes

Breaking Changes

None in this release.

Deprecations

None in this release.

Contributors

Thank you to all contributors who made this release possible! Special thanks to:

• jasonsaayman - Release management and CI/CD improvements

1.13.3

Release notes:

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

• chore(release): prepare release 1.13.5 (#7379)
• ci: fix run condition (#7373)
• ci: update ymls (#7372)
• docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• feat: add input validation to isAbsoluteURL (#7326)
• fix: Denial of Service via __proto__ Key in mergeConfig (#7369)
• docs: clarify object check comment (#7323)
• fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• fix: added a option to choose between legacy and the new request/response interceptor ordering
• chore(deps-dev): bump karma-sourcemap-loader (#7360)
• refactor: bump minors package versions (#7356)
• chore: fix issues with yml (#7355)
• chore(release): prepare release 1.13.4 (#7353)
• fix: issues with version 1.13.3 (#7352)
• fix: release branch yml
• fix: all merge configs
• refactor: ci and build (#7340)
• chore(release): v1.13.3 (#7335)
• revert(deps): bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334)
• chore(sponsor): update sponsor block (#7330)
• fix(types): restore AxiosError.cause type from unknown to Error (#7327)
• fix(interceptor): handle the error in the same interceptor (#6269)
• fix: main field in package.json should correspond to cjs artifacts (#5756)
• fix(types): add handlers to AxiosInterceptorManager interface (#5551)
• docs: refresh CDN URLs and example JSON headers (#7236)
• doc: update deprecated var usage in documentation examples (#7246)
• docs: add async/await timeout handling example (#7250)
• chore: remove unnecessary eslint-disable directive (#7283)
• docs: add abort controller example (#7287)
• docs: fix typo in multipart/form-data README section (#7311)
• chore(deps): bump the production_dependencies group across 1 directory with 2 updates (#7231)
• chore(deps): bump peter-evans/create-pull-request (#7303)
• Add "API clients" section to Ecosystem (#7312)
• chore(sponsor): update sponsor block (#7308)
• fix(http2): Use port 443 for HTTPS connections by default. (#7256)
• docs: add typescript example for custom instance (#7288)
• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298)
• test: add Node unit tests for toFormData and refactor buildURL to avoid param reassignment (#7272)
• chore(deps-dev): bump tar-fs from 2.1.1 to 2.1.4 (#7244)
• fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7257)
• feat: add Node.js coverage script using c8 (closes #7289) (#7294)
• chore(deps): bump the github-actions group across 1 directory with 2 updates (#7282)
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 (#7296)
• chore(deps-dev): bump node-forge from 1.3.1 to 1.3.3 (#7293)
• feat: enhance pipeFileToResponse with error handling (#7169)
• chore(sponsor): update sponsor block (#7285)
• chore: remove TODO comment and dead code from http adapter error handler (#7229)
• feat: compatibility with frozen prototypes (#6265)
• style: turn '()=>' into '() =>' (#6324)
• feat(types): Intellisense for string literals in a widened union (#6134)
• style: get rid of redundency in imports (#6315)
• fix: unclear error message is thrown when specifying an empty proxy authorization (#6314)
• test: correct relationship between filename and test codes (#6155)
• feat: add automatic minor and patch upgrades to dependabot (#6053)
• chore: add options object to docstring so IDE's indicate it's available (#5999)
• fix(package.json): add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754)
• fix: turn AxiosError into a native error (#5394) (#5558)
• docs: add comprehensive migration guide for 0.x to 1.x upgrade (#7218)
• docs: grammar issue in *.md (#7215)
• chore(deps): bump the github-actions group across 1 directory with 6 updates (#7148)
• feat: add `undefined` as a value in AxiosRequestConfig (#5560)
• docs: readme changes (#7042)
• feat: added copilot instructions
• chore: exclude vscode file
• docs: improved formatting and readability in Code of Conduct (#7198)
• chore: enhance form styling and input placeholders in examples (#7185)
• docs: clarify interceptors execution order (#7201)

↗️ form-data (indirect, 4.0.4 → 4.0.5) · Repo · Changelog

Release Notes

4.0.5 (from changelog)

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• v4.0.5
• [Dev Deps] update `@ljharb/eslint-config`, `eslint`
• [Fix] set Symbol.toStringTag in the proper place
• [Tests] Switch to newer v8 prediction library; enable node 24 testing

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)