PatchSiren cyber security CVE debrief
CVE-2026-44494 axios CVE debrief
Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to a Prototype Pollution 'Gadget' attack. This vulnerability, tracked as CVE-2026-44494, allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack. This enables attackers to intercept, read, and modify all HTTP traffic, including authentication credentials. The vulnerability exists due to how the HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This issue affects Axios versions from 1.0.0 to before 1.16.0. The vulnerability is fixed in version 1.16.0.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Developers and security teams using Axios in their applications should be aware of this vulnerability. Axios users should update to version 1.16.0 or later to mitigate this vulnerability.
Technical summary
The Axios library is vulnerable to a Prototype Pollution 'Gadget' attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack. This is due to the way config.proxy is accessed in the HTTP adapter, which allows for injection via prototype pollution.
Defensive priority
HIGH
Recommended defensive actions
- Update Axios to version 1.16.0 or later.
- Review and monitor your application's dependency tree for potential Object.prototype pollution vulnerabilities.
Evidence notes
This vulnerability has been analyzed and verified by the NVD and has a CVSS score of 8.7.
Official resources
-
CVE-2026-44494 CVE record
CVE.org
-
CVE-2026-44494 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
CVE-2026-44494 was published on 2026-06-11T17:16:33.313Z and modified on 2026-06-12T18:01:25.840Z.