Main Vulnerability Database Vulnerabilities #VU127592

Prototype pollution in axios - #VU127592

Published: April 24, 2026

Vulnerability identifier: #VU127592

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: axios

Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to inject credentials and hijack requests.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.

Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.

Remediation

Install security update from vendor's website.

Sources

https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj

Prototype pollution in axios - #VU127592

Detailed vulnerability description

Remediation

Sources

Please verify you're human