fix(deps): update dependency axios to v1.13.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.8.2 → 1.13.6
axios (source)	1.12.0 → 1.13.6

GitHub Vulnerability Alerts

CVE-2026-25639

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Release Notes

axios/axios (axios)

v1.13.6

Compare Source

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#​5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#​7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#​7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#​7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#​7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#​7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#​7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#​7424)
• Documentation: Added missing JSDoc comments to utilities. (#​7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#​7386)
• @​ybbus (#​7392)
• @​Shiwaangee (#​7324)
• @​skrtheboss (#​7403)
• @​Janaka66 (#​7427)
• @​moh3n9595 (#​5764)
• @​digital-wizard48 (#​7424)

Full Changelog: v1.13.5...v1.13.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	d971005
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69e00b519d1a7f00081150a6

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 51.11
• Iterations/s: 17.04
• Failed Requests: 0.00% (0 of 3074)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 18 kB/s
     data_sent......................: 2.4 MB 39 kB/s
     http_req_blocked...............: avg=5.67µs   min=2.11µs   med=4.9µs    max=261.2µs  p(90)=6.07µs   p(95)=6.7µs   
     http_req_connecting............: avg=196ns    min=0s       med=0s       max=170.47µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=77.71ms  min=6.1ms    med=62.52ms  max=381.01ms p(90)=132.88ms p(95)=154.07ms
       { expected_response:true }...: avg=77.71ms  min=6.1ms    med=62.52ms  max=381.01ms p(90)=132.88ms p(95)=154.07ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 3074
     http_req_receiving.............: avg=82.53µs  min=25.72µs  med=74.22µs  max=2.92ms   p(90)=109.29µs p(95)=133.65µs
     http_req_sending...............: avg=32.37µs  min=9.76µs   med=25.8µs   max=860.07µs p(90)=38.51µs  p(95)=53.59µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=77.59ms  min=5.91ms   med=62.38ms  max=380.92ms p(90)=132.76ms p(95)=153.96ms
     http_reqs......................: 3074   51.112139/s
     iteration_duration.............: avg=234.58ms min=160.24ms med=225.33ms max=796.05ms p(90)=287.13ms p(95)=315.19ms
     iterations.....................: 1025   17.042922/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4