CVE-2026-44494

Received Received - Intake

Prototype Pollution Leading to MITM in Axios

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-11

Last Modified

2026-06-11

Generated

2026-06-11

AI Q&A

2026-06-11

EPSS Evaluated

N/A

NVD

CVE-2026-44494

EUVD

EUVD-2026-36257

Affected Vendors & Products

Vendor	Product	Version / Range
axios	axios	From 1.0.0 (inc) to 1.16.0 (exc)
axios	axios	1.16.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-1321	The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-441	The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CWE ID

Description

CWE-1321

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

Executive Summary

CVE-2026-44494 is a critical vulnerability in the Axios library versions 1.0.0 to 1.15.0 involving Prototype Pollution. This vulnerability allows attackers to inject malicious properties into the Object.prototype, specifically targeting the proxy configuration used by Axios. Because the proxy property is not part of Axios's default configuration, it can be easily injected via prototype pollution. Once injected, the setProxy function routes all HTTP requests through an attacker-controlled proxy server.

This enables a full Man-in-the-Middle (MITM) attack, allowing the attacker to intercept, read, and modify all HTTP traffic, including sensitive data such as authentication credentials, cookies, and request bodies. The attack requires no user interaction or authentication and can exploit any polluted dependency in the application's stack.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Axios library to version 1.16.0 or later where the issue is fixed.

The fix involves using hasOwnProperty checks when reading security-sensitive configuration properties and creating null-prototype objects for merged configurations to prevent prototype pollution.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of data confidentiality and integrity. An attacker exploiting this flaw can intercept and alter all HTTP traffic made by the application using Axios, which includes sensitive information like authentication credentials and cookies.

Such an attack can lead to unauthorized access, data theft, session hijacking, and manipulation of data exchanged between the client and server. Because the attacker controls the proxy, they can modify responses and requests without detection, potentially causing further security breaches.

Compliance Impact

The vulnerability allows attackers to perform a full Man-in-the-Middle (MITM) attack, intercepting, reading, and modifying all HTTP traffic including authentication credentials, cookies, and request bodies.

Such unauthorized access and manipulation of sensitive data can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to exposure and potential misuse of personal and sensitive information.

Hi! I’m here to help you understand CVE-2026-44494. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-44494

Prototype Pollution Leading to MITM in Axios

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart