PatchSiren cyber security CVE debrief
CVE-2026-42264 axios CVE debrief
The Axios library, used for making HTTP requests in Node.js and browsers, has a vulnerability that allows for prototype pollution. This occurs because certain configuration properties in the HTTP adapter are accessed directly without proper guards, making them susceptible to exploitation when Object.prototype is polluted by another dependency. The affected versions range from 1.0.0 up to but not including 1.15.2. The issue has been patched in version 1.15.2. Axios users should update to this version to mitigate the risk. Axios's configuration properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser are impacted. This vulnerability can lead to silent picking up of polluted values on every outbound HTTP request, potentially causing security issues.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-07-01
Who should care
Developers and security teams using Axios in their applications should be aware of this vulnerability. Given the high CVSS score of 7.4, this issue is considered serious and requires immediate attention. Updating Axios to version 1.15.2 or later is recommended to prevent potential security breaches.
Technical summary
Axios, a popular HTTP client library for Node.js and browsers, suffers from a prototype pollution vulnerability. This vulnerability arises from the library's direct property access to certain configuration properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) without using hasOwnProperty guards. An attacker can exploit this by polluting Object.prototype, leading to Axios silently incorporating these polluted values into its configuration on every HTTP request. This issue affects Axios versions from 1.0.0 up to but not including 1.15.2. The vulnerability has been addressed in Axios version 1.15.2.
Defensive priority
High priority should be given to updating Axios to version 1.15.2 or later. Additionally, developers should review their dependencies for any other potential prototype pollution vulnerabilities and ensure that Object.prototype is not being polluted by other libraries or dependencies.
Recommended defensive actions
- Update Axios to version 1.15.2 or later.
- Review and audit dependencies for potential prototype pollution vulnerabilities.
- Implement hasOwnProperty checks for configuration properties in HTTP adapters.
- Monitor HTTP requests for anomalies that could indicate exploitation.
- Consider using a proxy or middleware to validate and sanitize HTTP request configurations.
Evidence notes
The CVE-2026-42264 vulnerability in Axios is confirmed by multiple sources, including the official CVE record and NVD details. The vulnerability allows for prototype pollution, which can lead to security issues with HTTP requests. The issue is patched in Axios version 1.15.2.
Official resources
-
CVE-2026-42264 CVE record
CVE.org
-
CVE-2026-42264 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.