SB2026052927 - Multiple vulnerabilities in axios
Published: May 29, 2026 Updated: May 31, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2026-44494)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in config.proxy. A remote attacker can pass specially crafted input to the application and perform a man-in-the-middle (MitM) attack, which can result in information disclosure or data manipulation.
2) Prototype pollution (CVE-ID: CVE-2026-44490)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in the merge() function in lib/utils.js. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in data manipulation or denial of service (DoS) condition.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44492)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to the "shouldBypassProxy" does not normalise IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
4) Prototype pollution (CVE-ID: CVE-2026-44489)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in "setProxy()" function in lib/adapters/http.js. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in data manipulation.
5) Inefficient regular expression complexity (CVE-ID: CVE-2026-44496)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in lib/helpers/cookies.js read(name) when processing an attacker-controlled XSRF cookie name while reading document.cookie. A remote attacker can supply a crafted cookie name containing regex metacharacters to cause a denial of service.
The issue affects standard browser environments and can freeze the affected browser tab while axios prepares a request. Applications are affected only when attacker-controlled data reaches the XSRF cookie name configuration or an unsafe direct call to the internal cookie helper.
6) Information disclosure (CVE-ID: CVE-2026-44486)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive headers in the Node.js HTTP adapter in lib/adapters/http.js when following redirects after proxy settings are re-evaluated from an authenticated proxy to a direct connection. A remote attacker can cause the application to follow a crafted redirect so that proxy credentials are sent to the redirect target to disclose sensitive information.
Only the Node.js HTTP adapter is affected, and exploitation requires automatic redirects to be enabled with an authenticated proxy configuration.
7) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-44487)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the Node.js HTTP adapter when following an HTTP-to-HTTPS redirect from a proxied request to a direct request. A remote attacker can trigger a crafted redirect flow to disclose sensitive information.
Only Node.js requests using the HTTP adapter are affected, and exploitation requires redirects to be followed and proxy credentials to be configured for the initial HTTP request but not for the redirected HTTPS request.
8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-44488)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing requests and responses with configured finite size limits. A remote attacker can supply an oversized response, a large data: URL, or an oversized request body to cause a denial of service.
The issue affects server-side usage where applications rely on maxContentLength or maxBodyLength being enforced by the fetch adapter.
Remediation
Install update from vendor's website.
References
- https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh
- https://github.com/axios/axios/security/advisories/GHSA-898c-q2cr-xwhg
- https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv
- https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
- https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf
- https://github.com/axios/axios
- https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc
- https://github.com/axios/axios/commit/afca61a
- https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v
- https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf
- https://github.com/axios/axios/commit/e5540dc