CVE-2026-42264
Prototype Pollution vulnerability in axios (npm)

Prototype Pollution No known exploit

What is CVE-2026-42264 About?

This vulnerability in the axios library, when affected by prototype pollution, allows attackers to inject attacker-controlled values into HTTP request configurations. This can lead to credential injection, request hijacking, SSRF, or even code execution. Exploitation requires another vulnerability causing prototype pollution and is moderately complex to chain.

Affected Software

axios >=1.0.0, <1.15.2

Technical Details

The axios HTTP adapter is susceptible to prototype pollution due to a lack of hasOwnProperty guards on five specific configuration properties: config.auth, config.baseURL, config.socketPath, config.beforeRedirect, and config.insecureHTTPParser. When an external dependency pollutes Object.prototype, these properties, if not explicitly set in the merged configuration, are read via direct property access. This direct access traverses the prototype chain, causing axios to silently pick up the attacker-controlled polymorphic values from Object.prototype. This can result in various impacts: config.auth injection leads to arbitrary Authorization headers; config.baseURL redirects requests to attacker-controlled servers; config.socketPath enables redirection to internal Unix sockets (SSRF); config.beforeRedirect allows execution of attacker-supplied callbacks during redirects (code execution); and config.insecureHTTPParser enables an insecure HTTP parser, facilitating request smuggling.

What is the Impact of CVE-2026-42264?

Successful exploitation may allow attackers to inject credentials, hijack requests, perform Server-Side Request Forgery (SSRF) attacks, execute arbitrary code, or enable request smuggling, leading to data theft and system compromise.

What is the Exploitability of CVE-2026-42264?

Exploitation of this vulnerability is complex as it relies on a prerequisite: another vulnerability in the same process must first achieve prototype pollution of Object.prototype. Once pollution occurs, the axios library will automatically use the injected values in subsequent HTTP requests, requiring no further authentication or specific privileges for axios itself. The attacks can be remote or local depending on how the initial prototype pollution is achieved and how axios is used. The key constraints are the presence of a prototype pollution gadget and that the affected axios properties are not explicitly set, allowing the polluted values to be inherited. The risk factors increase significantly if the application uses many third-party libraries, increasing the chance of a prototype pollution vulnerability existing elsewhere.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-42264?

Available Upgrade Options

  • axios
    • >=1.0.0, <1.15.2 → Upgrade to 1.15.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-42264?

Similar Vulnerabilities: CVE-2022-26514 , CVE-2020-7798 , CVE-2021-23369 , CVE-2023-30861 , CVE-2023-45136

All Rights reserved 2025
Privacy Policy