CVE-2026-42264— Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42264
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Source: NVD (National Vulnerability Database)
Vulnerability Description
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1321
Source: NVD (National Vulnerability Database)
Vulnerability Title
Axios 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Axios是Axios开源的一款基于Promise(异步编程的一种解决方案)的HTTP客户端。 Axios 1.0.0版本至1.15.2之前版本存在安全漏洞,该漏洞源于HTTP适配器中的五个配置属性通过直接属性访问读取而无hasOwnProperty保护,可作为原型污染小工具利用,当同一进程中其他依赖项污染Object.prototype时,axios在每次出站HTTP请求中静默获取这些污染值。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42264
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42264
请登录查看更多情报信息。
- Release v1.15.2 · axios/axios · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42264
IV. Related Vulnerabilities
Same product: axios
- CVE-2026-42042
Axios: XSRF Token Cross-Origin Leakage via Prototype Polluti - CVE-2026-42039
Axios: unbounded recursion in toFormData causes DoS via deep - CVE-2026-42036
Axios: HTTP adapter streamed responses bypass maxContentLeng - CVE-2026-42034
Axios: HTTP adapter streamed uploads bypass maxBodyLength wh - CVE-2026-42037
Axios: CRLF Injection in multipart/form-data body via unsani
Same vendor: axios
- CVE-2026-42042
Axios: XSRF Token Cross-Origin Leakage via Prototype Polluti - CVE-2026-42039
Axios: unbounded recursion in toFormData causes DoS via deep - CVE-2026-42036
Axios: HTTP adapter streamed responses bypass maxContentLeng - CVE-2026-42034
Axios: HTTP adapter streamed uploads bypass maxBodyLength wh - CVE-2026-42037
Axios: CRLF Injection in multipart/form-data body via unsani
Same weakness: CWE-1321
- CVE-2026-42232
n8n: XML Node Prototype Pollution to RCE - CVE-2026-42231
n8n: Prototype Pollution in XML Webhook Body Parser Leads to - CVE-2026-42077
Evolver: Prototype Pollution via `Object.assign()` in mailbo - CVE-2026-42033
Axios: Prototype Pollution Gadgets - Response Tampering, Dat - CVE-2026-6621
1024bit extend-deep index.js prototype pollution
V. Comments for CVE-2026-42264
No comments yet