Taking Down the Internet's Most Popular HTTP Client with a Single JSON Key

We used Striga to discover a high-severity vulnerability in axios, the most downloaded HTTP client in JavaScript. Any Node.js service that forwards user-controlled JSON through axios can be crashed with a single request. CVE-2026-25639. Patched in 1.13.5.