Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Description

No description available.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 0.31.0

  >= 1.0.0, < 1.15.1**

• Patched version(s): **0.31.1

  1.15.1**

References

• GHSA-w9j2-pvgh-6h63
• CVE-2026-42041
• CWE-1321
• CWE-287
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
• Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950

You might also like:

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

axios