CVE-2026-42044
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Summary
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| axios | axios | >= 1.0.0, < 1.15.2 | affected |
Weaknesses
- CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget
Additional References
- https://access.redhat.com/security/cve/CVE-2026-42044
- https://bugzilla.redhat.com/show_bug.cgi?id=2461624
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42044.json
- https://access.redhat.com/errata/RHSA-2026:25089
- https://access.redhat.com/errata/RHSA-2026:24473
- https://access.redhat.com/errata/RHSA-2026:24539
- https://access.redhat.com/errata/RHSA-2026:25273
- https://access.redhat.com/errata/RHSA-2026:20889
- https://access.redhat.com/errata/RHSA-2026:20938
- https://access.redhat.com/errata/RHSA-2026:21338
- https://access.redhat.com/errata/RHSA-2026:33574
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:20338
- https://access.redhat.com/errata/RHSA-2026:25041
- https://access.redhat.com/errata/RHSA-2026:21772
- https://access.redhat.com/errata/RHSA-2026:20454
- https://access.redhat.com/errata/RHSA-2026:16534
- https://access.redhat.com/errata/RHSA-2026:16532
- https://access.redhat.com/errata/RHSA-2026:16535
- https://access.redhat.com/errata/RHSA-2026:16542
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:22465
- https://access.redhat.com/errata/RHSA-2026:23361
- https://access.redhat.com/errata/RHSA-2026:26214
- https://access.redhat.com/errata/RHSA-2026:26232
- https://access.redhat.com/errata/RHSA-2026:26225
- https://access.redhat.com/errata/RHSA-2026:24471
- https://access.redhat.com/errata/RHSA-2026:34608
- https://access.redhat.com/errata/RHSA-2026:24536
- https://access.redhat.com/errata/RHSA-2026:25271
- https://access.redhat.com/errata/RHSA-2026:17657
- https://access.redhat.com/errata/RHSA-2026:17699
- https://access.redhat.com/errata/RHSA-2026:19109
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.