Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Description

No description available.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 0.31.0

  >= 1.0.0, < 1.15.1**

• Patched version(s): **0.31.1

  1.15.1**

References

• GHSA-xx6v-rp6x-q39c
• CVE-2026-42042
• CWE-183
• CWE-201
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
• Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` - CVE-2026-42044
• Axios: Header Injection via Prototype Pollution - CVE-2026-42035
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

axios