Prototype pollution in axios - #VU136917
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to tamper with outbound requests and disclose sensitive information.
The vulnerability exists due to improperly controlled modification of object prototype attributes in nested axios request option objects when processing placeholder nested option objects in a JavaScript process with a polluted Object.prototype. A remote user can pollute inherited username, password, encode, or serialize properties to tamper with outbound requests and disclose sensitive information.
Exploitation requires a separate prototype-pollution primitive in the same process, and affected cases include auth or paramsSerializer objects that omit their own relevant properties.