VDB

RHSA-2026%3A3105

RHSA-2026%3A3105 PUBLISHED CVSS 7.5 HIGH

A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:3a12696cddcbd01b02ae332b4f73316808680c5bfa56e3597817e997f8355ba7_arm64 as a component of Red Hat OpenShift Service Mesh 3.1*, registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:3a12696cddcbd01b02ae332b4f73316808680c5bfa56e3597817e997f8355ba7_arm64, registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:3a12696cddcbd01b02ae332b4f73316808680c5bfa56e3597817e997f8355ba7_arm64
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:11766a5adbc2780b7620d69cf14cfda2d44bf27ecd5e56696e97491c0152f4af_arm64 as a component of Red Hat OpenShift Service Mesh 3.1*, registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:11766a5adbc2780b7620d69cf14cfda2d44bf27ecd5e56696e97491c0152f4af_arm64, *
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cda057051d2354ac54f49cacc382bb8ef05ae198543a6f996b9c9b85abc97d65_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cda057051d2354ac54f49cacc382bb8ef05ae198543a6f996b9c9b85abc97d65_ppc64le, *, *
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e044ac52590a4e4747b264c066d56beb2a8360051fecd3880d5b806b069c2d35_amd64 as a component of Red Hat OpenShift Service Mesh 3.1registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e044ac52590a4e4747b264c066d56beb2a8360051fecd3880d5b806b069c2d35_amd64, registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e044ac52590a4e4747b264c066d56beb2a8360051fecd3880d5b806b069c2d35_amd64, registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:e044ac52590a4e4747b264c066d56beb2a8360051fecd3880d5b806b069c2d35_amd64
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7d9cc9e8c8323cfd63825308ed3c2dce098ddefaae34c173adb3015ffe70e818_amd64 as a component of Red Hat OpenShift Service Mesh 3.1*, registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7d9cc9e8c8323cfd63825308ed3c2dce098ddefaae34c173adb3015ffe70e818_amd64, registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7d9cc9e8c8323cfd63825308ed3c2dce098ddefaae34c173adb3015ffe70e818_amd64
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b180e0fcda8131effc98d2a032400362e60a9cc34f49fb72528bab279865bfc1_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b180e0fcda8131effc98d2a032400362e60a9cc34f49fb72528bab279865bfc1_ppc64le, *, *
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61a42cd27a26463b5ad014ad66b35e69b37c3d58fcaa2f5155dadee1e605e4bc_s390x as a component of Red Hat OpenShift Service Mesh 3.1registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61a42cd27a26463b5ad014ad66b35e69b37c3d58fcaa2f5155dadee1e605e4bc_s390x, *, registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:61a42cd27a26463b5ad014ad66b35e69b37c3d58fcaa2f5155dadee1e605e4bc_s390x
Red Hatregistry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8af3bb4095fbc3fbf144e27cc7cd77dc37fa018f72fd6b4fbaa0280cc468b93a_s390x as a component of Red Hat OpenShift Service Mesh 3.1registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8af3bb4095fbc3fbf144e27cc7cd77dc37fa018f72fd6b4fbaa0280cc468b93a_s390x, *, registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8af3bb4095fbc3fbf144e27cc7cd77dc37fa018f72fd6b4fbaa0280cc468b93a_s390x

Timeline

  • Feb 23, 2026 CVE Published
  • May 4, 2026 Distribution Patch
  • May 4, 2026 Distribution Patch
  • May 4, 2026 Security Advisory
  • May 4, 2026 Security Advisory
  • May 13, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›