CVE-2026-42035

Exploit

EPSS 0.11%
Veröffentlicht 24.04.2026 17:38:07
Zuletzt bearbeitet 27.04.2026 19:58:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Axios ≫ Axios SwPlatformnode.js Version < 0.31.1

Axios ≫ Axios SwPlatformnode.js Version >= 1.0.0 < 1.15.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.282

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-42035

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42035

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42035

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42035