PT-2026-44911 · Npm · Axios
Published
2026-05-29
·
Updated
2026-07-07
·
CVE-2026-44495
CVSS v3.1
7.0
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Axios versions 0.19.0 through 0.31.0
Axios versions 1.x through 1.15.1
Description
Axios contains prototype-pollution gadgets in its request configuration processing. If a separate vulnerability in the same JavaScript process allows an attacker to pollute
Object.prototype.transformResponse, affected versions may treat this inherited value as request configuration or an option validator. This issue does not create prototype pollution itself but acts as a gadget that requires existing attacker control over Object.prototype before a request is created.Technical details include:
- Vulnerable Functions: The
mergeConfig()function reads configuration values through standard property access, allowing missing properties on the request config to fall through toObject.prototype. ThetransformData()function then executes the selected transform with the request config asthis. - Impact: If
Object.prototype.transformResponseis polluted with a function, it can override the default JSON response parser. This allows the function to observe and exfiltrate sensitive request configuration, such asauth(includingusernameandpassword), the request URL, and headers, as well as the original response data. If polluted with a non-function value (e.g., an array), it can lead to a denial-of-service (DoS) by causing aTypeErrorduring validation invalidator.assertOptions().
Recommendations
Update Axios to version 0.31.1 or 1.15.2.
As a temporary mitigation, restrict the use of the
transformResponse configuration or ensure that no other dependencies in the application stack are susceptible to prototype pollution.Exploit
Fix
Prototype Pollution
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Axios