CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-25639 |
HIGH |
axios |
1.12.2 |
1.13.5 |
2026-02-09T21:15:49.01Z |
2026-02-10T10:18:20.346131799Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:4ed7941bc71730d919b77c434f6be5df991321591eaf3505ca7382ab44e41a68 |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:a57c1c79ef686d0254793687ee483ac5e28b9e2be40163a807f36c3ce1c6be1f |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:4ed7941bc71730d919b77c434f6be5df991321591eaf3505ca7382ab44e41a68 |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:4bafab0e2f89551caa7f5fcc2647bb809b89baed40a58278f533758e7a0c9093 |
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5.
Remediation Steps
- Update the affected package
axios from version 1.12.2 to 1.13.5.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
