Prototype Pollution Vulnerability in Axios HTTP Client
CVE-2026-42035

7.4HIGH

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42035?

A prototype pollution vulnerability in the Axios HTTP client allows attackers to inject arbitrary HTTP headers into outgoing requests by exploiting a flaw in the HTTP adapter. This flaw exists prior to versions 1.15.1 and 0.31.1 and is caused by erroneous duck-type checking of data payloads. An attacker can manipulate the prototype of objects, leading Axios to misidentify simple object payloads as instances of FormData. Consequently, this results in an unauthorized getHeaders() function being called, allowing the attacker to merge malicious headers into the HTTP request. Affected applications must be updated to the fixed versions to mitigate this risk.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42035 Data

JSON

AxiOS

What is CVE-2026-42035?

Affected Version(s)

References

CVSS V3.1

Timeline