Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential...

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

Basic Information

ID CVE-2026-42264

Source GitHub_M

Published May 8, 2026 at 03:20

Affected Product

Vendor axios

Product axios

Version >= 1.0.0, < 1.15.2

Affected Versions axios axios >= 1.0.0, < 1.15.2

CWE Classification

CWE-1321

References

{
    "lastseen": "",
    "description": "Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.",
    "published": "2026-05-08T03:20:24.248Z",
    "modified": "2026-05-08T03:20:24.248Z",
    "type": "cve",
    "title": "Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking",
    "source": "GitHub_M",
    "references": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj\nhttps://github.com/axios/axios/pull/10779\nhttps://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa\nhttps://github.com/axios/axios/releases/tag/v1.15.2",
    "id": "CVE-2026-42264",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "axios axios >= 1.0.0, < 1.15.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "axios",
    "version": ">= 1.0.0, < 1.15.2",
    "vendor": "axios",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking_CVE-2026-42264