Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
- Severity:
- High
Description
Five config properties in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.0, < 1.15.2
- Patched version(s): 1.15.2
References
Related Issues
- Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - CVE-2026-42033
- Axios: Header Injection via Prototype Pollution - CVE-2026-42035
- Undici has an HTTP Request/Response Smuggling issue - CVE-2026-1525
- devalue has prototype pollution in devalue.parse and devalue.unflatten - CVE-2026-30226
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 12, 2026