Prototype pollution in axios - #VU136913

 

Prototype pollution in axios - #VU136913

Published: July 6, 2026


Vulnerability identifier: #VU136913
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: axios
Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information or modify outbound traffic.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node HTTP adapter when processing plain config objects after Object.prototype has already been polluted. A remote user can pollute Object.prototype.proxy to disclose sensitive information or modify outbound traffic.

This affects direct low-level adapter usage with plain config objects that do not define their own proxy property.


Remediation

Install security update from vendor's website.

Sources