CVE-2026-44489
Received Received - Intake
Prototype Pollution Leading to Credential Injection in Axios

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-44489
EUVD
EUVD-2026-36256
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axios axios to 1.16.0 (exc)
axios axios From 1.15.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44489 is a security vulnerability in the Axios library versions 1.15.2 and potentially 1.15.1 that allows an attacker to inject a Proxy-Authorization header via prototype pollution.

The issue arises because nested objects created by utils.merge() (such as config.proxy) are plain objects inheriting from Object.prototype. The setProxy() function reads proxy.username, proxy.password, and proxy.auth without checking if these properties belong directly to the proxy object (i.e., without hasOwnProperty checks).

If an attacker can pollute Object.prototype by adding username or password properties, setProxy() will use these attacker-controlled values to construct a Proxy-Authorization header and inject it into every proxied HTTP request.

This vulnerability requires two conditions: the presence of prototype pollution in the dependency tree and explicit proxy configuration in the application.

It was fixed in Axios version 1.16.0 by adding hasOwnProperty checks and ensuring that nested objects do not inherit from Object.prototype.

Impact Analysis

This vulnerability allows an attacker to spoof the proxy identity by injecting attacker-controlled credentials into the Proxy-Authorization header of proxied HTTP requests.

The impact is limited: attackers can manipulate proxy logs or cause the application to authenticate to a proxy with attacker-supplied credentials, but they cannot access or modify the actual request or response data.

Exploitation requires that the application explicitly configures a proxy and that there is prototype pollution in the dependency tree.

Detection Guidance

Detection of this vulnerability involves checking if your application uses Axios versions between 1.15.2 and before 1.16.0, especially if it explicitly configures a proxy (config.proxy) and if there is a possibility of prototype pollution in the dependency tree.

Since the vulnerability involves injection of Proxy-Authorization headers with attacker-controlled credentials, you can monitor outgoing HTTP requests for unexpected or suspicious Proxy-Authorization headers.

There are no specific commands provided in the resources, but general approaches include:

  • Check the Axios version used in your project by running: `npm list axios` or `yarn list axios`.
  • Inspect your application code or configuration for explicit proxy settings (e.g., config.proxy).
  • Use network monitoring tools (like Wireshark or tcpdump) to capture HTTP traffic and filter for Proxy-Authorization headers to detect unexpected values.
  • Audit your dependency tree for prototype pollution vulnerabilities that could affect nested objects.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Axios to version 1.16.0 or later where the issue is fixed.

If upgrading is not immediately possible, consider the following mitigations:

  • Ensure that the setProxy() function performs hasOwnProperty checks before reading proxy.username, proxy.password, and proxy.auth.
  • Modify or patch utils.merge() to create objects with null prototypes to prevent prototype pollution.
  • Avoid configuring explicit proxy settings in Axios if not necessary.
  • Audit and fix any prototype pollution vulnerabilities in your dependency tree.
Compliance Impact

The vulnerability allows an attacker to inject a Proxy-Authorization header with attacker-controlled credentials into proxied HTTP requests, potentially spoofing proxy identity or manipulating proxy logs.

However, the impact is limited as attackers cannot access the actual request or response data.

Because the vulnerability does not lead to unauthorized access to sensitive data, its direct effect on compliance with data protection regulations such as GDPR or HIPAA is limited.

Nonetheless, the ability to manipulate proxy logs or spoof proxy identity could indirectly affect audit integrity or traceability, which are important aspects of compliance frameworks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart