CVE-2026-42044: CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios

CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios

Vulnerability ID: CVE-2026-42044
CVSS Score: 6.5
Published: 2026-05-05

Axios versions 1.0.0 through 1.15.1 contain a prototype pollution gadget in the JSON response parsing logic. By exploiting a prerequisite prototype pollution vulnerability, an attacker can manipulate the parseReviver option to intercept, modify, or exfiltrate JSON data during deserialization.

TL;DR

A prototype pollution gadget in Axios's transformResponse function allows attackers to tamper with JSON responses. Upgrading to 1.15.2 or explicitly defining parseReviver in configuration mitigates the risk.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-915, CWE-1321
• Attack Vector: Network (with prerequisites)
• CVSS v3.1 Base: 6.5
• EPSS Score: 0.00098 (26.71%)
• Primary Impact: High Integrity (JSON Tampering)
• Exploit Status: Proof of Concept
• KEV Listed: No

Affected Systems

• Axios (Node.js environments)
• Axios (Browser environments)
• Axios: >= 1.0.0, < 1.15.2 (Fixed in: 1.15.2)

Code Analysis

Commit: be33360

Replaced unsafe in checks and property access with hasOwnProperty.

Commit: 4791514

Hardened mergeConfig.js to return null-prototype objects and added extensive regression tests.

Exploit Details

• GitHub Security Advisory: Advisory containing technical description and PoC test cases for the parseReviver gadget.

Mitigation Strategies

• Upgrade Axios to version 1.15.2 or later.
• Explicitly configure parseReviver: undefined on Axios instances.
• Implement application-level prototype freezing using Object.freeze(Object.prototype).

Remediation Steps:

1. Identify all projects utilizing Axios versions 1.0.0 through 1.15.1.
2. Update package dependencies (e.g., via npm update axios or modifying package.json).
3. Verify the update by reviewing the lockfile to ensure version 1.15.2 is resolved.
4. Run integration tests to ensure Axios configurations function correctly with the null-prototype objects introduced in the patch.

References

• GitHub Advisory (GHSA-3w6x-2g7m-8v23)
• NVD Record (CVE-2026-42044)
• Axios Security Policy (SECURITY.md)
• Axios Threat Model (THREATMODEL.md)

---

Read the full report for CVE-2026-42044 on our website for more details including interactive diagrams and full exploit analysis.