CVE-2026-44495
Received Received - Intake
Prototype Pollution in Axios HTTP Client

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-44495
EUVD
EUVD-2026-36258
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axios axios From 0.19.0 (inc) to 0.31.1 (exc)
axios axios to 1.15.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Axios can lead to credential theft and response data exfiltration by allowing attackers to hijack responses and access sensitive information such as authentication credentials and request headers.

Such unauthorized access and data exposure could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.

Therefore, if exploited, this vulnerability may compromise the confidentiality and integrity of sensitive data handled by applications using affected Axios versions, impacting compliance with these common standards and regulations.

Executive Summary

CVE-2026-44495 is a Prototype Pollution Gadget vulnerability in the Axios library, a promise-based HTTP client for browsers and Node.js.

The vulnerability arises because Axios merges request configurations by reading properties through the JavaScript prototype chain. If the Object.prototype.transformResponse property is polluted by an attacker (via a separate prototype pollution vulnerability), Axios may treat this polluted property as part of its request configuration.

This polluted transformResponse function overrides the default JSON response parser for every request, executing in the context of the request configuration and potentially exposing sensitive data such as authentication credentials, request URLs, and headers.

Axios itself does not create the prototype pollution but can be exploited if another vulnerability has already polluted Object.prototype.transformResponse before Axios processes a request.

The vulnerability affects Axios versions from 0.19.0 up to but not including 0.31.1 and 1.15.2, and it is fixed in versions 0.31.1 and 1.15.2.

Impact Analysis

This vulnerability can lead to credential theft, response data exfiltration, and denial-of-service attacks.

Because the polluted transformResponse function executes with the request configuration as its context, attackers can access sensitive information such as authentication usernames and passwords, request URLs, and headers.

If the polluted value is an array, it can also cause denial-of-service conditions.

Exploitation requires that an attacker first achieves prototype pollution in the same JavaScript process, so the impact depends on the presence of other vulnerabilities or attacker control over Object.prototype.

Detection Guidance

Detection of this vulnerability involves checking if your application uses a vulnerable version of Axios (before 1.15.2 or 0.31.1) and whether Object.prototype.transformResponse has been polluted by another vulnerability.

Since the vulnerability requires a prior prototype pollution on Object.prototype.transformResponse, you can inspect the JavaScript environment for unexpected properties or functions on Object.prototype.

There are no specific commands provided in the resources, but you can use debugging or inspection commands in your Node.js environment such as:

  • In a Node.js console or script, check if transformResponse is polluted: `console.log(Object.prototype.transformResponse);`
  • Check Axios version installed: `npm list axios` or `yarn list axios`
  • Audit your dependencies for known prototype pollution vulnerabilities that could affect Object.prototype.
Mitigation Strategies

The primary mitigation step is to upgrade Axios to a fixed version: 0.31.1 or later for 0.x versions, and 1.15.2 or later for 1.x versions.

Additionally, ensure that your application and its dependencies do not have existing prototype pollution vulnerabilities that could pollute Object.prototype.transformResponse.

The fix in Axios involves using hasOwnProperty checks during config merging and validating that transformResponse contains only functions before execution, so upgrading ensures these protections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44495. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart