CVE-2026-42042— Axios 安全漏洞

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

宽松定义的白名单

Axios 安全漏洞

Axios是Axios开源的一款基于Promise（异步编程的一种解决方案）的HTTP客户端。 Axios 1.15.1之前版本和0.31.1之前版本存在安全漏洞，该漏洞源于XSRF令牌保护逻辑使用JavaScript真值/假值语义而非严格布尔比较，导致同源检查被短路，XSRF令牌发送到所有请求目标。

N/A

N/A