CVE-2026-42044

Name of the Vulnerable Software and Affected Versions Axios versions 1.0.0 through 1.15.1

Description Axios is a promise based HTTP client for the browser and Node.js. The library is susceptible to a Prototype Pollution Gadget attack. This occurs because the default transformResponse function calls JSON.parse(data, this.parseReviver), where this is the merged config object. Since parseReviver is not present in defaults, not validated by assertOptions, and lacks constraints, a polluted Object.prototype.parseReviver function is executed for every key-value pair in every JSON response. This allows an attacker to selectively modify individual values in JSON API responses, which can lead to privilege escalation, balance manipulation, and authorization bypass.

Recommendations Update Axios to version 1.15.2.