Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, versions 1.0.0 through 1.15.x, improperly merges HTTP configuration settings. The config.proxy property is read without own‑property checks, allowing attackers to pollute Object.prototype and inject a proxy address. Once set, every Axios request is transparently routed through the attacker’s proxy, enabling interception, replay, or tampering of all HTTP traffic, including credentials.

Affected Systems

The vulnerability affects projects that depend on the Axios library, specifically axios:axios versions 1.0.0 up to, but not including, 1.16.0. Any application that uses these Axios releases is potentially exposed if a dependency can perform prototype pollution.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. No EPSS value is available, and the vulnerability is currently not listed in the CISA KEV catalog. Attackers can exploit it by first introducing prototype pollution through a vulnerable dependency in the application’s dependency tree and then using the polluted proxy setting to perform a full MITM attack. The risk is high due to the ability to exfiltrate confidential data and modify traffic without detection.

Generated by OpenCVE AI on June 11, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.16.0 or later, where the prototype‑pollution issue is addressed.
  • Audit the dependency tree for libraries that can mutate Object.prototype and either upgrade, patch, or remove them, ensuring that no prototype pollution can occur.
  • Keep Axios at the patched version and regularly monitor the Axios project for security updates or advisories.

Generated by OpenCVE AI on June 11, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
History

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Title Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Weaknesses CWE-1321
CWE-441
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T17:24:01.932Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44494

cve-icon Vulnrichment

Updated: 2026-06-11T17:23:44.267Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T17:16:33.313

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-44494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:30:28Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')