Prototype pollution in axios - #VU136914
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to control URL serialization and disclose sensitive information.
The vulnerability exists due to improperly controlled modification of object prototype attributes in resolveConfig or browser-adapter helper paths when processing plain config objects after Object.prototype has already been polluted. A remote user can pollute Object.prototype.paramsSerializer to control URL serialization and disclose sensitive information.
This affects direct resolveConfig or browser-adapter helper usage with plain config objects that do not define their own paramsSerializer property.