Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Description

No description available.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): >= 1.0.0, < 1.15.2
• Patched version(s): 1.15.2

References

• GHSA-3w6x-2g7m-8v23
• CVE-2026-42044
• CWE-1321
• CWE-915
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A8

Related Issues

• Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042
• Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - CVE-2026-42033
• Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
• seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

axios