PT-2026-44911 · Npm · Axios

Published

2026-05-29

·

Updated

2026-07-07

·

CVE-2026-44495

CVSS v3.1

7.0

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Name of the Vulnerable Software and Affected Versions Axios versions 0.19.0 through 0.31.0 Axios versions 1.x through 1.15.1
Description Axios contains prototype-pollution gadgets in its request configuration processing. If a separate vulnerability in the same JavaScript process allows an attacker to pollute Object.prototype.transformResponse, affected versions may treat this inherited value as request configuration or an option validator. This issue does not create prototype pollution itself but acts as a gadget that requires existing attacker control over Object.prototype before a request is created.
Technical details include:
  • Vulnerable Functions: The mergeConfig() function reads configuration values through standard property access, allowing missing properties on the request config to fall through to Object.prototype. The transformData() function then executes the selected transform with the request config as this.
  • Impact: If Object.prototype.transformResponse is polluted with a function, it can override the default JSON response parser. This allows the function to observe and exfiltrate sensitive request configuration, such as auth (including username and password), the request URL, and headers, as well as the original response data. If polluted with a non-function value (e.g., an array), it can lead to a denial-of-service (DoS) by causing a TypeError during validation in validator.assertOptions().
Recommendations Update Axios to version 0.31.1 or 1.15.2. As a temporary mitigation, restrict the use of the transformResponse configuration or ensure that no other dependencies in the application stack are susceptible to prototype pollution.

Exploit

Fix

Prototype Pollution

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44495
GHSA-3G43-6GMG-66JW
RHSA-2026:34160

Affected Products

Axios