CVE-2026-42264
Last modified
CVE-2026-42264 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. EPSS estimates a 0.41% chance of exploitation in the next 30 days.
Description
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Axios | Axios | >= 1.0.0, < 1.15.2 |
References
- https://github.com/axios/axios/pull/10779Issue Tracking, Patch
- https://github.com/axios/axios/releases/tag/v1.15.2Product, Release Notes
- https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jjExploit, Mitigation, Vendor Advisory
- https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jjExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-42264?
How severe is CVE-2026-42264?
How do I fix CVE-2026-42264?
Are you affected by CVE-2026-42264?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST