CVE-2026-42042: CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios

CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios

Vulnerability ID: CVE-2026-42042
CVSS Score: 5.4
Published: 2026-05-05

Axios, a widely used JavaScript HTTP client, contains a vulnerability where loose truthiness checks on the withXSRFToken configuration property permit Cross-Site Request Forgery (XSRF) token leakage. This occurs when an application is vulnerable to Prototype Pollution, allowing attackers to short-circuit same-origin validation checks and extract anti-CSRF tokens to cross-origin servers.

TL;DR

A vulnerability in Axios allows XSRF tokens to leak to cross-origin servers. This occurs when loose boolean evaluation in the configuration logic is bypassed via an external Prototype Pollution gadget.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-697
• Attack Vector: Network
• CVSS v3.1: 5.4
• EPSS Score: 0.00035
• Impact: XSRF Token Leakage
• Exploit Status: poc

Affected Systems

• Node.js applications utilizing Axios
• Web applications bundling Axios
• Applications with untrusted input parsing leading to Prototype Pollution
• axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)
• axios: < 0.31.1 (Fixed in: 0.31.1)

Mitigation Strategies

• Upgrade Axios to patched versions 1.15.1 or 0.31.1
• Freeze Object.prototype globally
• Use Map or Object.create(null) for parsing untrusted user input

Remediation Steps:

1. Identify Axios usage via package-lock.json or yarn.lock
2. Update version constraints to >= 1.15.1 or >= 0.31.1
3. Run dependency installation and verify package tree
4. Deploy updated application builds

References

• Official Advisory
• CVE Record
• NVD Entry
• Wiz Vulnerability Database

---

Read the full report for CVE-2026-42042 on our website for more details including interactive diagrams and full exploit analysis.