[v0.30.2/0.30.3] : Prototype pollution / DoS in mergeConfig (CVE-2026-25639)

[VikramSingh1994]

Hello Axios Team,

First, thank you for addressing the recent security vulnerability in v1.13.5.

We noticed that the same vulnerability affecting earlier versions (including the 0.x branch) was reportedly addressed in v0.30.3. However, security scanners (e.g., Snyk) are still flagging v0.30.3 as vulnerable.

Could you please clarify:

If there are additional patches planned for the 0.x branch?

Many enterprise projects are still dependent on the 0.x line, and confirmation of the security status (or an additional patch release if needed) would be greatly appreciated.

Thank you for your continued support and maintenance of Axios.

Best regards,
Vikram.
https://security.snyk.io/package/npm/axios/0.30.3

[jasonsaayman]

i adjusted the CVE

should it still show up in a day or two let me know and i will reach out to GH Sec team and SYNK

[VikramSingh1994]

Thanks @jasonsaayman ,
Its has been fixed and High vulnerability mark has been removed from this version.
Thanks.