PatchSiren cyber security CVE debrief
CVE-2026-44495 axios CVE debrief
Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to prototype pollution in versions 0.19.0 to before 0.31.1 and 1.15.2. The vulnerability occurs in request config processing and can be exploited if another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse. Axios does not create the prototype pollution itself; exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. The vulnerability is fixed in versions 0.31.1 and 1.15.2.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Developers and users of Axios in the browser and Node.js environments should be aware of this vulnerability and take steps to mitigate it by updating to a fixed version.
Technical summary
Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator.
Defensive priority
HIGH
Recommended defensive actions
- Update Axios to version 0.31.1 or 1.15.2 or later.
- Ensure that your application does not have any existing prototype pollution vulnerabilities.
Evidence notes
This vulnerability is documented in the official CVE record [cve-org] and detailed in the NVD [nvd]. The Axios security advisory can be found [ref-4].
Official resources
-
CVE-2026-44495 CVE record
CVE.org
-
CVE-2026-44495 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44495 was published on 2026-06-11T17:16:33.450Z and modified on 2026-06-12T14:16:31.170Z.