Prototype pollution in axios - #VU136918
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node.js HTTP adapter request path when processing interceptor-returned regular object configs with a polluted Object.prototype.proxy. A remote user can trigger prototype pollution elsewhere in the process and cause affected HTTP requests to be routed through an attacker-controlled proxy to disclose sensitive information.
Exploitation requires Node.js HTTP adapter usage and a request interceptor that returns a plain object copy of the request configuration. The confirmed disclosure impact is limited to plaintext HTTP requests and can expose authorization headers, request metadata, and request body content.