PT-2026-44909 · Root+5 · @Rootio/Axios+2
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Axios versions 1.15.2 through 1.15.9
Description
Nested objects created by the
merge() function in utils.js are constructed as plain objects, meaning they retain Object.prototype in their prototype chain. The setProxy() function in lib/adapters/http.js reads the username, password, and auth properties of the proxy object without using hasOwnProperty checks. If Object.prototype.username is polluted, setProxy() will construct a Proxy-Authorization header using attacker-controlled credentials and inject it into every proxied HTTP request. This issue is a patch bypass of a previous fix that only protected top-level configuration objects.Recommendations
Update Axios to version 1.16.0.
As a temporary workaround, avoid using the
proxy configuration in the affected versions until the update is applied.Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Rootio/Axios
Axios
Node-Axios