CVE-2026-42035

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.15.1 Axios versions prior to 0.31.1

Description A prototype pollution gadget exists in the HTTP adapter located in 'lib/adapters/http.js'. This issue occurs due to duck-type checking of the data payload. If Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, the software misidentifies plain object payloads as FormData instances. This allows an attacker to trigger the getHeaders() function and inject arbitrary HTTP headers into outgoing requests. The trigger can be any prototype pollution primitive within the application's dependency tree, not necessarily originating from the software itself.

Recommendations Update to version 1.15.1 or later. Update to version 0.31.1 or later.