Security Bulletin: IBM Maximo Application Suite uses axios-1.12.2.tgz which is vulnerable to CVE-2026-25639.
Details
CVSS v3
7.5
NVD published
2026-02-09 21:15:49
EPSS
<0.1% probability · 15.8th percentile — 2026-04-29
Affected versions
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Summary
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.