PatchSiren cyber security CVE debrief
CVE-2026-44489 axios CVE debrief
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.
- Vendor
- axios
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Axios from version 1.15.2 to before 1.16.0
Technical summary
The vulnerability arises from the utils.merge() function creating nested objects with Object.prototype in their chain. The setProxy() function then reads properties from these objects without proper checks, allowing for potential prototype pollution attacks.
Defensive priority
LOW
Recommended defensive actions
- Update Axios to version 1.16.0 or later
Evidence notes
The vulnerability is fixed in Axios version 1.16.0.
Official resources
-
CVE-2026-44489 CVE record
CVE.org
-
CVE-2026-44489 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44489 was published on [cvePublishedAt].