CVE-2026-42041: Prototype Pollution Gadget in Axios Leading to Authentication Bypass
Vulnerability ID: CVE-2026-42041
CVSS Score: 4.8
Published: 2026-05-05
Axios versions prior to 1.15.1 and 0.31.1 contain a prototype pollution gadget in the configuration merging logic. This vulnerability allows an attacker to bypass authentication mechanisms by leveraging a separate prototype pollution flaw to manipulate the HTTP response validation process.
TL;DR
A flaw in the Axios configuration merging process allows a polluted Object prototype to overwrite the validateStatus function. This causes the client to treat 4xx and 5xx error responses as successful, potentially bypassing authentication and error-handling checks.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Class: Prototype Pollution Gadget (CWE-1321)
- Attack Vector: Network-based (Requires prior pollution)
- CVSS v3.1 Score: 4.8 (Medium)
- EPSS Score: 0.00088 (24.91%)
- Primary Impact: Authentication Bypass / Logic Flaw
- Exploit Status: Proof of Concept available
Affected Systems
- Axios (Node.js HTTP client)
- Axios (Browser HTTP client)
-
Axios: < 0.31.1 (Fixed in:
0.31.1) -
Axios: >= 1.0.0, < 1.15.1 (Fixed in:
1.15.1)
Mitigation Strategies
- Upgrade Axios to version 1.15.1 or 0.31.1.
- Explicitly define
validateStatuson global Axios instances to shadow the prototype chain. - Audit application dependencies for primary prototype pollution entry points.
Remediation Steps:
- Identify all projects and services utilizing vulnerable versions of Axios.
- Update the
package.jsonfile to requireaxios: ^1.15.1or the equivalent patched version. - Execute
npm installoryarn installto update the lockfile and install the patched library. - Implement strict object creation patterns, such as
Object.create(null), for configuration objects to prevent prototype pollution at the application level.
References
- GitHub Security Advisory GHSA-w9j2-pvgh-6h63
- NVD Vulnerability Detail CVE-2026-42041
- Snyk Vulnerability Database Analysis
- Axios Threat Model
Read the full report for CVE-2026-42041 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)