PT-2026-44909 · Root+5 · @Rootio/Axios+2

·

CVE-2026-44489

·

Published

2026-05-29

·

Updated

2026-07-06

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Axios versions 1.15.2 through 1.15.9
Description Nested objects created by the merge() function in utils.js are constructed as plain objects, meaning they retain Object.prototype in their prototype chain. The setProxy() function in lib/adapters/http.js reads the username, password, and auth properties of the proxy object without using hasOwnProperty checks. If Object.prototype.username is polluted, setProxy() will construct a Proxy-Authorization header using attacker-controlled credentials and inject it into every proxied HTTP request. This issue is a patch bypass of a previous fix that only protected top-level configuration objects.
Recommendations Update Axios to version 1.16.0. As a temporary workaround, avoid using the proxy configuration in the affected versions until the update is applied.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44489
GHSA-654M-C8P4-X5FP

Affected Products

@Rootio/Axios
Axios
Node-Axios