Main Vulnerability Database Vulnerabilities #VU127605

Prototype pollution in axios - #VU127605

Published: April 24, 2026

Vulnerability identifier: #VU127605

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: axios

Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to tamper with requests or responses and disclose sensitive information.

The vulnerability exists due to prototype pollution in mergeConfig handling of transformRequest and transformResponse when reading inherited config values from a polluted Object.prototype. A remote attacker can pollute Object.prototype.transformRequest or Object.prototype.transformResponse to tamper with requests or responses and disclose sensitive information.

This gadget requires a discriminator because the polluted function is also reached during option validation.

Remediation

Install security update from vendor's website.

Sources

https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf

Prototype pollution in axios - #VU127605

Detailed vulnerability description

Remediation

Sources

Please verify you're human