Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3875 articles · 175980 vulns · 37/41 feeds (7d)
← Back to list
7.4
CVE-2026-42264PATCHED
axios · axios

Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking

Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

Affected Products

VendorProductVersions
axiosaxios>= 1.0.0, < 1.15.2

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassiancruciblecert_advisory90%
atlassianconfluencecert_advisory90%
atlassianbitbucketcert_advisory90%
atlassianjiracert_advisory90%
atlassianbamboocert_advisory90%

References

  • https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj(x_refsource_CONFIRM)
  • https://github.com/axios/axios/pull/10779(x_refsource_MISC)
  • https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa(x_refsource_MISC)
  • https://github.com/axios/axios/releases/tag/v1.15.2(x_refsource_MISC)

Related News (6 articles)

Tier B
BSI Advisories12d ago
[NEU] [hoch] IBM DataPower Gateway: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
CERT-FR26d ago
Multiples vulnérabilités dans les produits Atlassian (18 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
BSI Advisories48d ago
[NEU] [hoch] IBM License Metric Tool: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
→ No new info (linked only)
Tier B
BSI Advisories53d ago
[NEU] [hoch] IBM App Connect Enterprise: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB67d ago
CVE-2026-42264 | Axios up to 1.15.1 HTTP Request prototype pollution
→ No new info (linked only)
CVSS 3.17.4 HIGH
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
axios@1.15.2
CWECWE-1321
PublishedMay 5, 2026
Last enriched67d agov2
Tags
GHSA-q8qp-cvcw-x6jjnpm
Trending Score14
Source articles6
Independent3
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-44494EXP
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Trending: 10
HIGHCVE-2026-42043
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Trending: 6
HIGHCVE-2026-44492
Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Trending: 3
HIGHCVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Trending: 3
HIGHCVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Trending: 3

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 5, 2026
Discovered by ZDM
May 5, 2026
Updated: affectedVersions, severity, patchAvailable
May 8, 2026
Patch Available
Jul 13, 2026

Version History

v2
Last enriched 67d ago
v2Tier C67d ago

Updated affected versions to '< 1.15.2', changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseveritypatchAvailable
via VulDB
v170d ago

Initial creation