CVE-2026-44494
Modified Modified - Updated After Analysis

Prototype Pollution Leading to MITM in Axios

Vulnerability report for CVE-2026-44494, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack β€” intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
axios axios From 1.0.0 (inc) to 1.16.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves prototype pollution in the Axios library versions 1.0.0 to 1.15.0, which allows an attacker to route HTTP traffic through a malicious proxy server. Detection involves identifying if your system or application is using a vulnerable Axios version and monitoring for unusual proxy configurations or unexpected HTTP traffic redirection.

To detect the vulnerability on your system, first check the Axios version used in your project dependencies:

  • Run the command: npm list axios
  • Or check your package.json and package-lock.json files for Axios versions.

To detect suspicious network activity that might indicate exploitation of this vulnerability, monitor HTTP traffic for unexpected proxy usage or MITM behavior.

Example commands to monitor network traffic (depending on your environment):

  • Use tcpdump or Wireshark to capture and analyze HTTP traffic for unusual proxy endpoints or unexpected redirections.
  • tcpdump -i any -A port 80 or port 443
  • Check environment variables or configuration files for unexpected proxy settings that might have been injected.

Ultimately, the most reliable detection is to verify and upgrade Axios to version 1.16.0 or later, where the vulnerability is fixed.

Executive Summary

CVE-2026-44494 is a critical vulnerability in the Axios library versions 1.0.0 to 1.15.0 involving Prototype Pollution. This vulnerability allows attackers to inject malicious properties into the Object.prototype, specifically targeting the proxy configuration used by Axios. Because the proxy property is not part of Axios's default configuration, it can be easily injected via prototype pollution. Once injected, the setProxy function routes all HTTP requests through an attacker-controlled proxy server.

This enables a full Man-in-the-Middle (MITM) attack, allowing the attacker to intercept, read, and modify all HTTP traffic, including sensitive data such as authentication credentials, cookies, and request bodies. The attack requires no user interaction or authentication and can exploit any polluted dependency in the application's stack.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of data confidentiality and integrity. An attacker exploiting this flaw can intercept and alter all HTTP traffic made by the application using Axios, which includes sensitive information like authentication credentials and cookies.

Such an attack can lead to unauthorized access, data theft, session hijacking, and manipulation of data exchanged between the client and server. Because the attacker controls the proxy, they can modify responses and requests without detection, potentially causing further security breaches.

Compliance Impact

The vulnerability allows attackers to perform a full Man-in-the-Middle (MITM) attack, intercepting, reading, and modifying all HTTP traffic including authentication credentials, cookies, and request bodies.

Such unauthorized access and manipulation of sensitive data can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to exposure and potential misuse of personal and sensitive information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Axios library to version 1.16.0 or later where the issue is fixed.

The fix involves using hasOwnProperty checks when reading security-sensitive configuration properties and creating null-prototype objects for merged configurations to prevent prototype pollution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart