Main Vulnerability Database Vulnerabilities #VU132949

Prototype pollution in axios - CVE-2026-44495

Published: May 29, 2026

Vulnerability identifier: #VU132949

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44495

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: axios

Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote attacker to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.

The vulnerability exists due to improperly controlled modification of object prototype attributes in Axios request config processing and response transformation when handling requests after Object.prototype has been polluted with a crafted transformResponse value. A remote attacker can pollute Object.prototype.transformResponse through a separate prototype-pollution primitive to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.

Exploitation requires a separate vulnerability or equivalent capability to control Object.prototype in the same JavaScript process or browser context before Axios merges or validates the request config. Browser and Node usage can both be affected.

How to mitigate CVE-2026-44495

Install security update from vendor's website.

Sources

https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw

Prototype pollution in axios - CVE-2026-44495

Detailed vulnerability description

How to mitigate CVE-2026-44495

Sources

Please verify you're human