Security Tracking Issue

Do not make this issue public.

Flaw:

Axios affected by Denial of Service via {}proto{} Key in mergeConfig

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing {}proto{} as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in 1.13.5.

~~~

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://prodsec.pages.redhat.com/prodsec-docs/incident-response/Vulnerability_Management_Essentials/

Tracker accuracy feedback form: https://docs.google.com/forms/d/e/1FAIpQLSfa6zTaEGohRdiIqGVAvWTSAL0kpO_DkkEICuIHzQHFwmKswg/viewform

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.
    

Actual results:

Expected results:

Additional info: