Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.
Published: 2026-04-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, a widely used HTTP client, contains an object prototype pollution flaw that lets an attacker overwrite Object.prototype.validateStatus with a function that always returns true. This causes Axios to treat every HTTP status code as a successful response, silently bypassing error handling and application‑level authentication. The result is that protected resources may be accessed without proper credential verification while the attacker remains invisible to normal error‑logging or monitoring pipelines. The weakness involves improper handling of prototype chains (CWE-1321), inadequate authentication checks (CWE-287), and exploitation through property mutation that escalates privileges (CWE-915).

Affected Systems

Vulnerable versions of the Axios library are those older than 1.15.1 for Node.js and older than 0.31.1 for browser environments. Any project that imports or requires those legacy packages is at risk, regardless of the surrounding infrastructure.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity; the EPSS score of less than 1% shows that exploitation is unlikely to be prolific, and the vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves executing arbitrary JavaScript in an environment that imports Axios, so it is most relevant to web applications, server‑side scripting, or any environment where client code can influence server requests. If the attacker can manipulate Object.prototype—common in environments that serve or process untrusted input—then the prototype‑pollution gadget will be triggered, flattening error codes and enabling unauthorized access.

Generated by OpenCVE AI on May 6, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Axios library to version 1.15.1 (Node) or 0.31.1 (browser) which removes the vulnerable merge strategy.
  • If an upgrade is not immediately possible, avoid setting or relying on the validateStatus property, and instead explicitly check response.status for codes that indicate success.
  • As a temporary defence, ensure that the runtime environment sanitises Object.prototype and prohibits modifications from untrusted code, or isolate Axios usage within a trusted sandbox.

Generated by OpenCVE AI on May 6, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9j2-pvgh-6h63 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.
Title Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
Weaknesses CWE-1321
CWE-287
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:32:58.115Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42041

cve-icon Vulnrichment

Updated: 2026-04-24T18:29:58.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:31.133

Modified: 2026-04-27T20:07:58.037

Link: CVE-2026-42041

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T17:55:30Z

Links: CVE-2026-42041 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:00:12Z

Weaknesses