Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking — CVE-2026-42264
GitHub · GitHub · CVE-2026-42264
ID
CVE-2026-42264
CVE-2026-42264
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.4
7.4
EPSS
0.00033
0.00033
Summary
## Summary Five config properties in the HTTP adapter are read via direct property access without `hasOwnProperty` guards, making them exploitable as prototype pollution gadgets. When `Object.prototype` is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. ## Affected Properties 1. **`config.auth`** (`lib/adapters/http.js` line 617)…
Product
npm: axios
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.