Prototype pollution in axios - #VU136918

 

Prototype pollution in axios - #VU136918

Published: July 6, 2026


Vulnerability identifier: #VU136918
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: axios
Affected software:
axios

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the Node.js HTTP adapter request path when processing interceptor-returned regular object configs with a polluted Object.prototype.proxy. A remote user can trigger prototype pollution elsewhere in the process and cause affected HTTP requests to be routed through an attacker-controlled proxy to disclose sensitive information.

Exploitation requires Node.js HTTP adapter usage and a request interceptor that returns a plain object copy of the request configuration. The confirmed disclosure impact is limited to plaintext HTTP requests and can expose authorization headers, request metadata, and request body content.


Remediation

Install security update from vendor's website.

Sources