CVE-2026-42264

Name of the Vulnerable Software and Affected Versions Axios versions 1.0.0 through 1.15.1

Description Axios is a promise-based HTTP client for the browser and Node.js. The HTTP adapter reads five configuration properties—auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser—via direct property access without using hasOwnProperty guards. This allows these properties to act as prototype pollution gadgets. If Object.prototype is polluted by another dependency within the same process, Axios will silently use these polluted values for every outbound HTTP request. Prototype pollution is a vulnerability where an attacker can manipulate the prototype of a base object, leading to the injection of properties into all objects inheriting from that prototype.

Recommendations Update to version 1.15.2.