CVE-2026-42033

HIGH

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Title source: cna

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf

Scores

CVSS v3 7.4

EPSS 0.0037

EPSS Percentile 28.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1321

Status published

Products (3)

axios/axios < 0.31.1 (2 CPE variants)

axios/axios >= 1.0.0, < 1.15.1

npm/axios 1.0.0 - 1.15.1npm

Published Apr 24, 2026

Tracked Since Apr 24, 2026