Prototype Pollution Vulnerability in Axios HTTP Client by Axios
CVE-2026-42264

7.4HIGH

Key Information:

Vendor

AxiOS

Status
AxiOS
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42264?

The Axios HTTP client, widely used for browser and Node.js applications, is susceptible to a prototype pollution vulnerability. This issue arises from the improper handling of certain configuration properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) within the HTTP adapter. Without adequate checks like hasOwnProperty, these parameters can be exploited, leading to the inclusion of compromised properties when making outbound HTTP requests. This silent acceptance of polluted values poses significant security risks. The vulnerability affects versions from 1.0.0 up to, but not including, 1.15.2, which has since been patched to close this security gap.

Affected Version(s)

axios >= 1.0.0, < 1.15.2

References

https://github.com/axios/axios/security/advisories/GHSA-q...
x_refsource_CONFIRM
https://github.com/axios/axios/pull/10779
x_refsource_MISC
https://github.com/axios/axios/commit/47915144662f2733e6c...
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.