Lowjason

**Name of the Vulnerable Software and Affected Versions** Axios versions 1.15.2 through 1.15.9 **Description** Nested objects created by the `merge()` function in `utils.js` are constructed as plain objects, meaning they retain `Object.prototype` in their prototype chain. The `setProxy()` function in `lib/adapters/http.js` reads the `username`, `password`, and `auth` properties of the `proxy` object without using `hasOwnProperty` checks. If `Object.prototype.username` is polluted, `setProxy()` will construct a `Proxy-Authorization` header using attacker-controlled credentials and inject it into every proxied HTTP request. This issue is a patch bypass of a previous fix that only protected top-level configuration objects. **Recommendations** Update Axios to version 1.16.0. As a temporary workaround, avoid using the `proxy` configuration in the affected versions until the update is applied.