Main Vulnerability Database Vulnerabilities #VU127595

Prototype pollution in axios - #VU127595

Published: April 24, 2026

Vulnerability identifier: #VU127595

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: axios

Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass application-level authentication checks and suppress HTTP error handling.

The vulnerability exists due to improperly controlled modification of object prototype attributes ('prototype pollution') in lib/core/mergeConfig.js and lib/core/settle.js when merging request configuration after Object.prototype has been polluted with a crafted validateStatus property. A remote attacker can pollute Object.prototype.validateStatus with a function that always returns true to bypass application-level authentication checks and suppress HTTP error handling.

Exploitation requires chaining with an existing prototype pollution condition elsewhere in the application stack.

Remediation

Install security update from vendor's website.

Prototype pollution in axios - #VU127595

Detailed vulnerability description

Remediation

Sources

Please verify you're human