Prototype Pollution Vulnerability in Axios HTTP Client
CVE-2026-42041

4.8MEDIUM

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42041?

The Axios library, a widely used promise-based HTTP client for browsers and Node.js, is susceptible to a Prototype Pollution vulnerability. This flaw allows attackers to manipulate the Object.prototype, leading to the suppression of critical HTTP error responses such as 401, 403, and 500. Consequently, legitimate error handling and authentication processes are completely bypassed, as all HTTP statuses can be incorrectly interpreted as successful. The vulnerability arises from a specific merge strategy for the validateStatus configuration property, which uses the 'in' operator to traverse the prototype chain. If an attacker sets Object.prototype.validateStatus to always return true, the application will accept any HTTP status code as a success. This critical issue has been resolved in versions 1.15.1 and 0.31.1 of Axios.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-w...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42041 Data

JSON

AxiOS

What is CVE-2026-42041?

Affected Version(s)

References

CVSS V3.1

Timeline