Vulnerability Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Axios | Axios | >= 1.0.0, < 1.15.1 |
Related Weaknesses (CWE)
References
- https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23ExploitMitigationVendor Advisory
- https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-42044?
CVE-2026-42044 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype ...
How severe is CVE-2026-42044?
CVE-2026-42044 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42044?
Check the references section above for vendor advisories and patch information. Affected products include: Axios Axios.