Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.
Published: 2026-04-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, a promise‑based HTTP client, contains a prototype pollution vulnerability that allows an attacker to silently alter every JSON response received by the application and to hijack the underlying HTTP transport, exposing request credentials, headers, and body. The flaw arises when Object.prototype is polluted by any co‑dependency or other code in the same process that adds keys read by Axios without guarding against prototype properties. This can lead to unauthorized data manipulation, credential theft, and potential further compromise of application logic.

Affected Systems

Axios versions prior to 1.15.1 and 0.31.1 used in both browser and Node.js environments are affected. The vulnerability is present in any deployment that includes an earlier Axios release in the same process as a package capable of polluting Object.prototype.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. Axios is not listed in CISA's KEV catalog. Exploitation requires a separate component that can pollute the prototype in the same process, so a web application using Axios in conjunction with a vulnerable dependency that modifies Object.prototype would be the likely attack surface. Once the prototype is polluted, the attacker can hijack HTTP requests and perform response tampering or data exfiltration. The attack vector and exploitation prerequisites are inferred from the description and not explicitly stated in the advisory.

Generated by OpenCVE AI on May 1, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade axios to version 1.15.1 or 0.31.1 where the constructor checks haveOwnProperty for prototype properties.
  • Audit and update any third‑party dependencies that modify Object.prototype; remove or replace vulnerable packages that perform prototype pollution.
  • As a temporary measure, isolate the Axios execution context or patch Axios to add its own hasOwnProperty guard before accessing request headers, body, or response data.

Generated by OpenCVE AI on May 1, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
History

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.
Title Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T03:55:57.725Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42033

cve-icon Vulnrichment

Updated: 2026-04-24T18:29:22.945Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:29.993

Modified: 2026-04-27T20:02:44.417

Link: CVE-2026-42033

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T17:36:44Z

Links: CVE-2026-42033 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes