Description
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
Published: 2026-05-08
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios versions from 1.0.0 up to 1.15.1 allow certain configuration properties in the HTTP adapter to be read without ownership checks. In the presence of a polluted Object.prototype, these values can be overridden, enabling an attacker to inject credentials or hijack outgoing requests. This prototype pollution weakness (CWE-1321) can compromise confidentiality and integrity of requests.

Affected Systems

The affected vendor is Axios. Products are the axios HTTP client library from version 1.0.0 through 1.15.1. The patch was released in version 1.15.2.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity vulnerability. EPSS data is unavailable, so the likelihood of exploitation cannot be precisely quantified, and it is not listed in the CISA KEV catalog. The likely attack vector requires that an attacker can influence the dependency chain or inject code into the same process that modifies Object.prototype, after which contaminated values will be reused by Axios on every outbound request.

Generated by OpenCVE AI on May 8, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.15.2 or later to apply the vendor patch
  • Ensure that no dependency or external library modifies Object.prototype during runtime
  • Audit and restrict runtime dependencies to prevent accidental prototype pollution

Generated by OpenCVE AI on May 8, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
Title Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:20:24.248Z

Reserved: 2026-04-26T11:53:27.706Z

Link: CVE-2026-42264

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:20.313

Modified: 2026-05-08T04:16:20.313

Link: CVE-2026-42264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses