Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
| Vendor | Product | Versions |
|---|---|---|
| axios | axios | npm/axios: >= 1.0.0, < 1.15.0, npm/axios: < 0.31.0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| npm | axios | GHSA | 85% |
Updated actively exploited status to true and noted that no exploit is available.
Initial creation
