Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3838 articles · 175945 vulns · 37/41 feeds (7d)
← Back to list
8.7
CVE-2026-44494EXPLOITEDPATCHED
axios · axios

Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

Affected Products

VendorProductVersions
axiosaxios>= 1.0.0, < 1.16.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
red hatopenshiftcert_advisory90%

References

  • https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh(x_refsource_CONFIRM)

Related News (2 articles)

Tier B
BSI Advisories13d ago
[NEU] [mittel] Red Hat OpenShift Container Platform (protobufjs, fast-uri): Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB33d ago
CVE-2026-44494 | Axios up to 1.15.x lib/adapters/http.js setProxy confused deputy
→ No new info (linked only)
CVSS 3.18.7 HIGH
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
axios@1.16.0
CWECWE-441, CWE-1321
PublishedMay 29, 2026
Last enriched33d agov2
Tags
GHSA-35jp-ww65-95whnpmCVE-2026-44494
Trending Score10
Source articles2
Independent2
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-42264
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Trending: 14
HIGHCVE-2026-42043
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Trending: 6
HIGHCVE-2026-44492
Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Trending: 3
HIGHCVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Trending: 3
HIGHCVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Trending: 3

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 29, 2026
Discovered by ZDM
May 29, 2026
Updated: description, affectedVersions, severity, activelyExploited, patchAvailable, tags
Jun 11, 2026
Actively Exploited
Jul 10, 2026
Patch Available
Jul 10, 2026

Version History

v2
Last enriched 33d ago
v2Tier C33d ago

Updated description with new details, changed affected versions to <= 1.15.x, updated severity to MEDIUM, and noted that no exploit is available.

descriptionaffectedVersionsseverityactivelyExploitedpatchAvailabletags
via VulDB
v146d ago

Initial creation