Description
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
Published: 2026-06-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, a promise based HTTP client for browser and Node.js, contains a prototype pollution gadget in its request configuration processing for a range of versions. The vulnerability is triggered when a separate prototype‑polluting flaw or attacker control over Object.prototype has already polluted the property Object.prototype.transformResponse. When this polluted value is present, Axios may read it as request configuration or as an option validator, leading to the exposure of sensitive credentials through request payloads and manipulation of HTTP responses. The flaw does not create the pollution itself, and does not provide direct code execution but can be leveraged to steal credentials and hijack responses.

Affected Systems

The affected product is Axios, version 0.19.0 up to but not including 0.31.1, and 1.15.2. The issue is fixed in Axios 0.31.1 and 1.15.2 and later releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 7, indicating moderate severity. The EPSS score is 0.00047 (<1%), indicating a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitability requires a preceding prototype‑polluting vulnerability or attacker control over Object.prototype within the same JavaScript process before Axios creates a request. Therefore, the likelihood of exploitation is contingent on the presence of such a preceding flaw, making the overall risk moderate in the absence of additional vulnerabilities, but potentially higher if another prototype‑pollution vector is present. The likely attack vector involves an attacker first compromising Object.prototype in the JavaScript process, then leveraging Axios to transmit stolen credentials or hijacked responses.

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 0.31.1, 1.15.2, or later to eliminate the prototype‑pollution gadget
  • If an upgrade is not possible, isolate Axios usage in a sandboxed or separate execution context to avoid shared Object.prototype exposure
  • Implement runtime checks to verify that Object.prototype.transformResponse is not polluted, and enforce strict data type validation for request configurations

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
Title Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Weaknesses CWE-1321
CWE-94
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T12:04:32.399Z

Reserved: 2026-05-06T18:28:20.885Z

Link: CVE-2026-44495

cve-icon Vulnrichment

Updated: 2026-06-30T03:15:50.542Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-11T17:16:33.450

Modified: 2026-06-12T14:16:31.170

Link: CVE-2026-44495

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T15:33:12Z

Links: CVE-2026-44495 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')