Executive Summary

CVE-2026-42264 is a prototype pollution vulnerability in the Axios HTTP client library affecting versions 1.0.0 to before 1.15.2. The issue arises because five configuration properties in the HTTP adapter (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) are accessed directly without proper hasOwnProperty checks. This allows attackers to exploit prototype pollution gadgets by injecting malicious values into Object.prototype, which Axios then silently uses in outbound HTTP requests.

• config.auth: can inject attacker-controlled Authorization headers.
• config.baseURL: can redirect requests to attacker-controlled servers.
• config.socketPath: can redirect requests to internal Unix sockets like Docker daemon.
• config.beforeRedirect: can execute attacker-supplied callbacks during redirects.
• config.insecureHTTPParser: can enable Node.js's insecure HTTP parser.

The root cause is that the mergeConfig function only checks own properties, leaving these five properties vulnerable to prototype chain traversal and pollution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts on the confidentiality and integrity of your applications using Axios. An attacker could exploit it to:

• Inject attacker-controlled credentials into Authorization headers, potentially gaining unauthorized access.
• Hijack or redirect HTTP requests to attacker-controlled servers, enabling data interception or manipulation.
• Perform Server-Side Request Forgery (SSRF) attacks by redirecting requests to internal Unix sockets such as Docker daemons.
• Execute arbitrary code via attacker-supplied callbacks during HTTP redirects.
• Weaken HTTP parsing security by enabling insecure HTTP parsers.

Overall, this can lead to unauthorized data access, request manipulation, and potential remote code execution, severely compromising application security.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate CVE-2026-42264, immediately upgrade the axios library to version 1.15.2 or later, where the vulnerability has been patched.

• Ensure that the axios HTTP adapter reads only own properties of configuration objects to prevent prototype pollution.
• Apply the patch that restricts config properties like auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from being influenced by polluted Object.prototype.
• Use the new allowedSocketPaths configuration option to whitelist Unix domain socket paths if your application uses socketPath.
• Review and apply supply-chain hardening measures such as setting .npmrc with ignore-scripts=true and using lockfile lint CI.
• Verify that your axios version includes the security fixes that reject invalid header characters to prevent header injection and CRLF attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Axios allows prototype pollution that can lead to injection of attacker-controlled Authorization headers, request hijacking, and server-side request forgery (SSRF). This can result in unauthorized access to sensitive data and manipulation of HTTP requests.

Such unauthorized access and data manipulation could potentially lead to breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to exposure or unauthorized modification of protected data transmitted via HTTP requests.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves prototype pollution in the axios HTTP client, where certain configuration properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) can be polluted via Object.prototype and silently used in outbound HTTP requests.

Detection involves checking if your application is using a vulnerable version of axios (versions 1.0.0 up to before 1.15.2) and monitoring outbound HTTP requests for suspicious headers or redirects that could indicate exploitation, such as unexpected Authorization headers, redirects to attacker-controlled URLs, or requests to internal Unix sockets.

Since the vulnerability is related to prototype pollution affecting axios configuration, you can detect it by:

• Verifying the axios version in your project dependencies (e.g., using `npm list axios` or `yarn list axios`).
• Inspecting outbound HTTP requests for unexpected Authorization headers or unusual base URLs.
• Checking for unexpected socketPath usage or callbacks triggered during redirects.

Suggested commands to help detect the vulnerability or its exploitation include:

• `npm list axios` or `yarn list axios` — to identify the installed axios version.
• Using network monitoring tools (e.g., `tcpdump`, `wireshark`) to capture and analyze outbound HTTP requests for suspicious headers or redirects.
• Reviewing application logs for unexpected Authorization headers or errors related to HTTP requests.
• If you have access to the runtime environment, inspecting the Object.prototype for unexpected properties that could indicate prototype pollution (e.g., in Node.js REPL or debugging tools).

No specific detection commands are provided in the resources, but these general approaches can help identify if the vulnerability is present or being exploited.

Useful 0 Not Useful 0