Prototype pollution in axios - #VU136909
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to tamper with outbound requests.
The vulnerability exists due to improper control of object prototype attributes in Basic auth handling in lib/adapters/http.js and lib/helpers/resolveConfig.js when processing requests with an own auth object that omits username or password in a host process already affected by prototype pollution. A remote user can pollute Object.prototype.username and Object.prototype.password to tamper with outbound requests.
Exploitation requires a separate prototype-pollution primitive in the host process, and affects requests where config.auth is an own object but username and/or password are absent own properties.