DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42035: CVE-2026-42035: Axios Header Injection via Prototype Pollution Gadget

#security #cve #cybersecurity

CVE-2026-42035: Axios Header Injection via Prototype Pollution Gadget

Vulnerability ID: CVE-2026-42035
CVSS Score: 7.4
Published: 2026-05-05

CVE-2026-42035 identifies a high-severity prototype pollution gadget within the Node.js HTTP adapter of Axios. By leveraging insecure duck-typing during FormData evaluation, an attacker with a pre-existing prototype pollution primitive can inject arbitrary HTTP headers into outgoing network requests, leading to identity spoofing, authentication bypass, or request smuggling.

TL;DR

A flaw in the Axios Node.js adapter allows attackers to inject arbitrary HTTP headers via a prototype pollution gadget. Insecure duck-typing fails to verify 'own properties' when processing FormData, enabling polluted methods to dictate outgoing request headers. Upgrading to Axios 0.31.1 or 1.15.1 resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • CVSS Score: 7.4
  • EPSS Score: 0.00083
  • Exploit Status: poc
  • KEV Listed: false

Affected Systems

  • Axios Node.js HTTP adapter (lib/adapters/http.js)
  • axios: < 0.31.1 (Fixed in: 0.31.1)
  • axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Code Analysis

Commit: f53ebf2

Fix Commit (Hardening Prototype Checks)

Commit: 163da72

Fix Commit (CRLF Sanitization)

Mitigation Strategies

  • Update Axios to the latest secure versions (0.31.1 or 1.15.1+).
  • Audit application dependencies for known prototype pollution vulnerabilities.
  • Implement prototype freezing using Object.freeze(Object.prototype) during application initialization to prevent runtime modifications.

Remediation Steps:

  1. Identify all projects utilizing the Axios package within Node.js environments.
  2. Update the version constraint in package.json to >=1.15.1 or >=0.31.1.
  3. Execute npm install or yarn install to update the lockfile.
  4. Deploy the updated application build to testing and production environments.
  5. Monitor dependency trees using tools like npm audit or Nuclei to ensure vulnerable versions are not reintroduced.

References

Read the full report for CVE-2026-42035 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)