Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0.
Published: 2026-06-11
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, a promise based HTTP client for the browser and Node.js, contains read‑side prototype‑pollution gadgets in its merge functions prior to versions 0.32.0 and 1.16.0. When an upstream dependency such as lodash performs _.merge and pollutes Object.prototype, Axios silently absorbs the polluted values. The first gadget copies polluted bucket keys into merged headers, resulting in header injection that can leak data or alter request semantics. The second gadget creates a descriptor that, when polluted, triggers a synchronous TypeError on every request, leading to a denial of service. This flaw allows an attacker who can influence the environment of a running process to disrupt or tamper with HTTP traffic.

Affected Systems

The vulnerability affects the Axios library under the axios:axios product. All versions of axios older than 0.32.0 in the 0.x series and older than 1.16.0 in the 1.x series are impacted. No specific operating systems or runtime environments are mentioned, but the flaw is present in both browser and Node.js usage.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate impact level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. Attackers can exploit the issue by ensuring that a vulnerable dependency such as lodash is used in the same process, thereby polluting Object.prototype. This does not require network access or user interaction beyond the application’s runtime environment, but the attack vector is primarily via a compromised process or malicious library injection.

Generated by OpenCVE AI on June 12, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to a fixed version: 0.32.0 or newer for the 0.x series, or 1.16.0 or newer for the 1.x series.
  • Update all dependencies that can perform prototype pollution, such as lodash, to a non‑vulnerable version or replace _​.merge with a safer alternative.
  • Review and refactor application code to avoid using merge functions that read from Object.prototype and validate or sanitize any data that may influence merge operations.

Generated by OpenCVE AI on June 12, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0.
Title Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T17:23:44.278Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44490

cve-icon Vulnrichment

Updated: 2026-06-11T17:22:43.872Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T17:16:33.027

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-44490

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-11T15:36:13Z

Links: CVE-2026-44490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:00:12Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes