Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Description

When Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 0.31.0

  >= 1.0.0, < 1.15.1**

• Patched version(s): **0.31.1

  1.15.1**

References

• GHSA-pf86-5x62-jrwf
• CVE-2026-42033
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
• Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
• Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - CVE-2026-42039
• Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - CVE-2026-42042

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

axios