9.1

CVE-2026-42044

Exploit

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AxiosAxios SwPlatformnode.js Version >= 1.0.0 < 1.15.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.59% 0.436
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com 6.5 2.2 4.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://bugzilla.redhat.com/show_bug.cgi?id=2461624
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42044.json
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:16532
https://access.redhat.com/errata/RHSA-2026:16534
https://access.redhat.com/errata/RHSA-2026:16535
https://access.redhat.com/errata/RHSA-2026:16542
https://access.redhat.com/errata/RHSA-2026:21338
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22840
https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:20338
https://access.redhat.com/errata/RHSA-2026:20454
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:24471
https://access.redhat.com/errata/RHSA-2026:24473
https://access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:24539
https://access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:25271
https://access.redhat.com/errata/RHSA-2026:25273
https://access.redhat.com/errata/RHSA-2026:26214
https://access.redhat.com/errata/RHSA-2026:26225
https://access.redhat.com/errata/RHSA-2026:26232
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:34608
https://access.redhat.com/errata/RHSA-2026:36107
https://access.redhat.com/security/cve/CVE-2026-42044
https://access.redhat.com/errata/RHSA-2026:36882