Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.
Published: 2026-04-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios uses JavaScript truthy/falsy semantics for the withXSRFToken configuration property instead of strict boolean comparison. When this property is set to any truthy non‑boolean value, whether through prototype pollution or a misconfiguration, Axios suppresses the same‑origin verification causing the XSRF token to be included in every request—including to cross‑origin endpoints. The attacker receives the victim’s XSRF token, which can be reused for forgery or token theft, compromising the confidentiality of anti‑CSRF measures and potentially facilitating more advanced credential‑stealing or CSRF attacks.

Affected Systems

Affecting the Axios library required for both browser and Node.js environments. Versions before 1.15.1 for browser support and before 0.31.1 for Node.js are vulnerable. The issue originates from the way Axios processes the withXSRFToken property, not from the host runtime.

Risk and Exploitability

The CVSS score of 5.4 reflects moderate severity, while an EPSS score below 1 % indicates a very low, but not zero, likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Attackers could gain the victim’s XSRF token by injecting prototype pollution or misconfiguring the withXSRFToken setting. With the token in hand, they could craft malicious requests to the victim’s application or leverage it for other CSRF or credential‑stealing activities.

Generated by OpenCVE AI on April 29, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to a version equal to or later than 1.15.1 for browser usage or 0.31.1 for Node.js usage
  • Validate that the withXSRFToken configuration value is a strict boolean; reject or normalize any other values before setting the property
  • Audit codebases for prototype pollution vulnerabilities or accidental redefinition of Boolean objects that could affect withXSRFToken; implement input sanitization or comprehensive unit tests to prevent these changes

Generated by OpenCVE AI on April 29, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xx6v-rp6x-q39c Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
History

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.
Title Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
Weaknesses CWE-183
CWE-201
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T17:35:41.883Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42042

cve-icon Vulnrichment

Updated: 2026-04-27T17:35:19.552Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:31.293

Modified: 2026-04-27T20:05:27.500

Link: CVE-2026-42042

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T18:03:29Z

Links: CVE-2026-42042 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses