Permissive List of Allowed Inputs in axios - #VU127596
Published: April 24, 2026
Vulnerability identifier: #VU127596
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-183
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: axios
Affected software:
axios
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and bypass CSRF protections.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/resolveConfig.js when processing the withXSRFToken config property during browser requests. A remote attacker can pollute Object.prototype.withXSRFToken with a truthy non-boolean value or rely on a misconfigured truthy non-boolean value to disclose sensitive information and bypass CSRF protections.
User interaction is required, and the issue affects browser environments where the XSRF logic runs only when hasStandardBrowserEnv is true.
Remediation
Install security update from vendor's website.