Axios: Header Injection via Prototype Pollution_CVE-2026-42035

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

Basic Information

ID CVE-2026-42035

Source GitHub_M

Published Apr 24, 2026 at 17:38

Affected Product

Vendor axios

Product axios

Version >= 1.0.0, < 1.15.1

Affected Versions axios axios >= 1.0.0, < 1.15.1
axios axios < 0.31.1

CWE Classification

CWE-113 CWE-1321

References

github.com /axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9

{
    "lastseen": "",
    "description": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself \u2014 any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.",
    "published": "2026-04-24T17:38:07.752Z",
    "modified": "2026-04-24T17:38:07.752Z",
    "type": "cve",
    "title": "Axios: Header Injection via Prototype Pollution",
    "source": "GitHub_M",
    "references": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
    "id": "CVE-2026-42035",
    "bulletinFamily": "",
    "cwe": [
        "CWE-113",
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "axios axios >= 1.0.0, < 1.15.1\naxios axios < 0.31.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "axios",
    "version": ">= 1.0.0, < 1.15.1",
    "vendor": "axios",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}