Prototype pollution in axios - #VU136913
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information or modify outbound traffic.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node HTTP adapter when processing plain config objects after Object.prototype has already been polluted. A remote user can pollute Object.prototype.proxy to disclose sensitive information or modify outbound traffic.
This affects direct low-level adapter usage with plain config objects that do not define their own proxy property.