These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to prototype pollution in versions 0.19.0 to before 0.31.1 and 1.15.2. The vulnerability occurs in request config processing and can be exploited if another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse. Axios does not create the prototype pollution itself; exploitability re [truncated]
Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to a Prototype Pollution 'Gadget' attack. This vulnerability, tracked as CVE-2026-44494, allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack. This enables attackers to intercept, read, and modify all HTTP traffic, including authentication credenti [truncated]
CVE-2026-44492 is a HIGH severity vulnerability in Axios, a promise-based HTTP client for the browser and Node.js. The vulnerability occurs because Axios does not normalize IPv4-mapped IPv6 addresses. This can cause issues when the NO_PROXY environment variable lists an IPv4 address, such as 127.0.0.1 or 169.254.169.254. In such cases, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a [truncated]
Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to prototype pollution. This vulnerability, CVE-2026-44490, allows attackers to pollute the Object.prototype, potentially leading to security issues. The vulnerability exists in versions prior to 0.32.0 and 1.16.0. Axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependenc [truncated]
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is pollu [truncated]
A vulnerability was found in Axios, a promise-based HTTP client for the browser and Node.js. The issue affects versions 1.7.0 through 1.15.x, where Axios did not enforce configured request and response size limits when requests were sent with the fetch adapter. This can lead to resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, or when an attacke [truncated]
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. U [truncated]
A vulnerability in Axios' Node.js HTTP adapter can cause proxy credentials to be leaked to a redirect target. This issue affects Axios versions prior to 0.32.0 and 1.16.0 when used with automatic redirects enabled and an authenticated proxy configuration.
The Axios library, used for making HTTP requests in Node.js and browsers, has a vulnerability that allows for prototype pollution. This occurs because certain configuration properties in the HTTP adapter are accessed directly without proper guards, making them susceptible to exploitation when Object.prototype is polluted by another dependency. The affected versions range from 1.0.0 up to but not including [truncated]
CVE-2026-42033 is a high-severity vulnerability in Axios, a promise-based HTTP client for browsers and Node.js. Prior to versions 1.15.1 and 0.31.1, the library is susceptible to prototype pollution attacks. If an attacker can pollute the Object.prototype with keys that Axios reads without a hasOwnProperty guard, they can silently intercept and modify every JSON response before the application sees it or [truncated]
CVE-2025-62718 describes a proxy-bypass weakness in Axios' NO_PROXY handling. When hostname normalization is incorrect, requests aimed at loopback-style targets such as localhost. with a trailing dot or [::1] can fail to match NO_PROXY and be sent through the configured proxy instead. In environments that rely on proxy rules to keep loopback or internal traffic local, this can create SSRF-style exposure t [truncated]
CVE-2026-25639 affects Axios versions before 0.30.3 and 1.13.5. A malicious configuration object can trigger a TypeError in mergeConfig when __proto__ is present as an own property, which can crash the application path and cause a complete denial of service. The issue was publicly disclosed on 2026-02-09, and vendor fixes are available in the Axios patches and release notes.
CVE-2021-3749 is a HIGH severity vulnerability (CVSS 7.5) affecting Subnet Solutions Inc. PowerSYSTEM Center, published by CISA on October 1, 2024. The vulnerability stems from the product's use of Axios, a popular JavaScript HTTP client library, which contains an inefficient regular expression complexity flaw. This issue can lead to denial of service conditions through resource exhaustion when processing [truncated]