Skip to main content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in axios

CVE-2026-44490

  • axios
Severity High
Score 8.2/10

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.0.0 prior to 1.16.0, axios exposes two read-side prototype-pollution gadgets. When "Object.prototype" is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks "Object.prototype" and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the "hasOwnProperty" descriptor as a plain-object literal. "Object.defineProperty" reads "descriptor.get/descriptor.set" via the prototype chain, so a polluted "Object.prototype.get" or "Object.prototype.set" makes the call throw "TypeError" synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1321 - Prototype Pollution

Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.

Advisory Timeline

  • Published