VDB
RHSA-2026%3A8499
RHSA-2026%3A8499
PUBLISHED
CVSS 7.5 HIGH
A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64 as a component of Red Hat Satellite 6.18 | registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64, registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64, registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64 |
| Red Hat | registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64 as a component of Red Hat Satellite 6.18 | *, registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:9daf45edc32d3fbb6d3aea43d981b09b4ddd4a762bad4fb36f516b4ee81a0d7b_amd64, * |
Timeline
- Apr 16, 2026 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:8499 advisory
- https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index advisory
- https://access.redhat.com/security/cve/CVE-2026-25639 advisory
- https://access.redhat.com/security/cve/CVE-2026-40175 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://catalog.redhat.com/software/containers/search advisory
- https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite advisory
- https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8499.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2438237 issue
- https://www.cve.org/CVERecord?id=CVE-2026-25639 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25639 advisory
- https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57 advisory
- https://github.com/axios/axios/releases/tag/v1.13.5 advisory
- https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457432 issue
- https://www.cve.org/CVERecord?id=CVE-2026-40175 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-40175 advisory
- https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1 advisory
- https://github.com/axios/axios/pull/10660 advisory
…and 2 more