Description
A prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - CVE-2026-40175
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
- Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026