CVE-2026-44490
Received Received - Intake
Prototype Pollution in Axios HTTP Client

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-44490
EUVD
EUVD-2026-36260
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
axios axios From 0.31.1 (inc) to 1.15.2 (inc)
axios axios to 0.32.0 (exc)
axios axios to 1.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44490 is a moderate-severity vulnerability in the axios HTTP client library versions prior to 0.32.0 and 1.16.0. It arises from prototype pollution read-side gadgets, where polluted values in Object.prototype from upstream dependencies like lodash's _.merge can be unintentionally incorporated by axios.

The vulnerability manifests in two main ways: first, header injection occurs because axios merges headers using a plain object accumulator, allowing polluted keys to be copied into outgoing HTTP headers. Second, a Denial of Service (DoS) crash happens when axios tries to read property descriptors from a polluted Object.prototype, causing synchronous TypeErrors on every request.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject arbitrary HTTP headers into requests, such as 'X-Poisoned: yes', which can lead to unexpected behavior or security issues.

It can also cause Denial of Service (DoS) by triggering synchronous TypeErrors on every axios request, leading to complete request failures and bypassing normal error handling.

Additional impacts include server hangs due to incorrect Content-Length headers, HTTP 400 Bad Request responses caused by CL+TE conflicts, and response suppression through manipulated If-None-Match headers returning empty 304 Not Modified responses.

Detection Guidance

This vulnerability can be detected by checking if your axios library version is between 1.0.0 and 1.15.2 or 0.31.1 or earlier, as these versions are affected.

Additionally, detection involves verifying if Object.prototype pollution is occurring in your environment, especially if upstream dependencies like lodash's _.merge are used.

On the network or system level, signs of exploitation may include unexpected HTTP headers such as 'X-Poisoned: yes' in outgoing requests, or frequent request failures with synchronous TypeErrors.

While no specific commands are provided in the resources, you can use commands to check your axios version, for example:

  • npm list axios
  • yarn list axios

To detect prototype pollution, you may need to audit your dependencies for known vulnerable versions of lodash or other libraries that modify Object.prototype.

Mitigation Strategies

The immediate mitigation step is to upgrade axios to version 0.32.0 or 1.16.0 or later, where this vulnerability is fixed.

Additionally, ensure that upstream dependencies like lodash are updated to versions that do not pollute Object.prototype.

The fix involves using null-prototype objects instead of plain-object literals in vulnerable code locations to prevent prototype pollution effects.

Compliance Impact

The vulnerability in axios involves prototype pollution that can lead to HTTP header injection and Denial of Service (DoS) conditions. While the CVE description and resources detail the technical impact and potential for request failures or server hangs, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart