Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Published: 2026-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Manipulation
Action: Patch
AI Analysis

Impact

Axios library between versions 1.0.0 and before 1.15.2 contains a prototype pollution gadget. The default transformResponse uses JSON.parse with a reviver taken from the request configuration. Because the parseReviver property is not validated or constrained, a polluted Object.prototype.parseReviver function will be invoked for every key–value pair in a JSON response. This allows an attacker who can inject prototype pollution into the dependency tree to surgically modify responses, potentially altering balances, bypassing authorization, or escalating privileges, while leaving the rest of the data unchanged.

Affected Systems

Axios, a promise‑based HTTP client for browsers and Node.js, is affected in versions 1.0.0 through 1.15.1. The vulnerability exists in the library's configuration handling before the 1.15.2 release. All users of Axios in either environment that have not upgraded are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. The EPSS score is below 1%, implying a low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attack requires an adversary to introduce prototype pollution into Axios' dependency tree so that a malicious Object.prototype.parseReviver function is executed during JSON parsing. Once in place, the attacker can alter any response value while keeping other data intact.

Generated by OpenCVE AI on April 28, 2026 at 05:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.15.2 or later.
  • If upgrading immediately is not feasible, audit and patch any third‑party dependencies that may pollute Object.prototype, removing or sanitizing any custom parseReviver properties.
  • Reconfigure Axios to use the default transformResponse that does not supply a reviver, or set transformResponse to a safe implementation that ignores Object.prototype values.

Generated by OpenCVE AI on April 28, 2026 at 05:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3w6x-2g7m-8v23 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:3.0::el9
cpe:/a:redhat:service_mesh:3.1::el9
cpe:/a:redhat:service_mesh:3.2::el9
cpe:/a:redhat:service_mesh:3.3::el9
Vendors & Products Redhat
Redhat service Mesh
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Title Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
Weaknesses CWE-1321
CWE-915
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Axios Axios
Redhat Service Mesh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:12:13.920Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42044

cve-icon Vulnrichment

Updated: 2026-04-24T18:12:09.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:31.613

Modified: 2026-04-27T20:04:11.347

Link: CVE-2026-42044

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T17:49:49Z

Links: CVE-2026-42044 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses