We used Striga to discover a high-severity vulnerability in axios, the most downloaded HTTP client in JavaScript. Any Node.js service that forwards user-controlled JSON through axios can be crashed with a single request. CVE-2026-25639. Patched in 1.13.5.

The prototype chain lookup on a plain object as a strategy map is a pattern that shows up everywhere in JS, not just axios. Surprised this wasn't caught earlier