Axios, a promise based HTTP client for browser and Node.js, contains a prototype pollution gadget in its request configuration processing for a range of versions. The vulnerability is triggered when a separate prototype‑polluting flaw or attacker control over Object.prototype has already polluted the property Object.prototype.transformResponse. When this polluted value is present, Axios may read it as request configuration or as an option validator, leading to the exposure of sensitive credentials through request payloads and manipulation of HTTP responses. The flaw does not create the pollution itself, and does not provide direct code execution but can be leveraged to steal credentials and hijack responses.

The affected product is Axios, version 0.19.0 up to but not including 0.31.1, and 1.15.2. The issue is fixed in Axios 0.31.1 and 1.15.2 and later releases.

The vulnerability carries a CVSS score of 7, indicating moderate severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Exploitability requires a preceding prototype‑polluting vulnerability or attacker control over Object.prototype within the same JavaScript process before Axios creates a request. Therefore, the likelihood of exploitation is contingent on the presence of such a preceding flaw, making the overall risk moderate in the absence of additional vulnerabilities, but potentially higher if another prototype‑pollution vector is present. The likely attack vector involves an attacker first compromising Object.prototype in the JavaScript process, then leveraging Axios to transmit stolen credentials or hijacked responses.