Prototype pollution in axios - #VU136917

 

Prototype pollution in axios - #VU136917

Published: July 6, 2026


Vulnerability identifier: #VU136917
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: axios
Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote user to tamper with outbound requests and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of object prototype attributes in nested axios request option objects when processing placeholder nested option objects in a JavaScript process with a polluted Object.prototype. A remote user can pollute inherited username, password, encode, or serialize properties to tamper with outbound requests and disclose sensitive information.

Exploitation requires a separate prototype-pollution primitive in the same process, and affected cases include auth or paramsSerializer objects that omit their own relevant properties.


Remediation

Install security update from vendor's website.

Sources