Prototype pollution in axios - #VU136912
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to alter request semantics.
The vulnerability exists due to improperly controlled modification of object prototype attributes in bodyless method aliases in lib/core/Axios.js when processing requests after Object.prototype has already been polluted. A remote user can pollute Object.prototype.data to alter request semantics.
Exploitation requires chaining with a separate prototype pollution condition in the same process.