Prototype pollution in axios - #VU136910
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to tamper with outbound requests and disclose sensitive information.
The vulnerability exists due to improper control of object prototype attributes in params and paramsSerializer handling in lib/helpers/resolveConfig.js when building request URLs in a host process already affected by prototype pollution. A remote user can pollute Object.prototype.params or Object.prototype.paramsSerializer to tamper with outbound requests and disclose sensitive information.
Exploitation requires a separate prototype-pollution primitive in the host process. The advisory notes that attacker-controlled paramsSerializer functions are not achievable through JSON-only prototype pollution.