Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Published: 2026-04-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary HTTP header injection
Action: Apply Patch
AI Analysis

Impact

Axios is a widely used HTTP client for browsers and Node.js. A prototype pollution flaw in the HTTP adapter can cause Axios to treat certain plain object payloads as FormData. When the polluted prototype contains getHeaders, append, pipe, on, once, and Symbol.toStringTag properties, the client invokes the attacker-controlled getHeaders() method and merges the returned headers into every outgoing request. This allows an attacker to insert arbitrary HTTP headers into requests that the application or a downstream server sends, potentially hijacking requests, redirecting traffic, or injecting malicious data.

Affected Systems

The vulnerability affects the Axios package, versions prior to 1.15.1 for browsers and 0.31.1 for Node.js environments. Any application that imports these affected versions and has a dependency that can pollute Object.prototype will be susceptible.

Risk and Exploitability

The CVSS score of 7.4 indicates moderate to high severity, yet the EPSS score of less than 1% suggests that exploitation is presently unlikely. The weakness is not listed in CISA’s KEV catalog, meaning the vulnerability has not yet been demonstrated in widespread attacks. Attackers would need to induce prototype pollution in their own application's dependency tree, then trigger the gadget within Axios to inject headers into outgoing traffic. Given the dependency-specific nature of prototype pollution, exploitation remains relatively complex and likely requires local or privilege escalation within the attacked environment.

Generated by OpenCVE AI on April 29, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to at least version 1.15.1 for browsers or 0.31.1 for Node.js environments.
  • Audit the dependency tree for any modules that could pollute Object.prototype and remove or update them to versions that do not use unsafe prototype functions.
  • Implement application-level sanitization by freezing or cleaning Object.prototype before initializing Axios, ensuring that getHeaders and related prototype properties are not present.

Generated by OpenCVE AI on April 29, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution
History

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Title Axios: Header Injection via Prototype Pollution
Weaknesses CWE-113
CWE-1321
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T03:55:59.169Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42035

cve-icon Vulnrichment

Updated: 2026-04-24T18:08:00.490Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:30.273

Modified: 2026-04-27T19:58:39.227

Link: CVE-2026-42035

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T17:38:07Z

Links: CVE-2026-42035 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses
  • CWE-113

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes