What is the CVSS score of CVE-2026-42035?

CVE-2026-42035 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Axios are affected by CVE-2026-42035?

Axios versions 0.x and 1.x are vulnerable to prototype pollution enabling HTTP header injection, which could allow attackers to bypass authentication or hijack sessions by manipulating outbound…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42035?

Yes, a public proof-of-concept exploit is available for CVE-2026-42035. Prioritise patching immediately. EPSS: 0.0%.

Axios CVE-2026-42035

EUVD-2026-25589 HIGH

HTTP Response Splitting (CWE-113)

2026-04-24 GitHub_M

GHSA-6chq-wfr3-2hj9

RCE Node.js Red Hat

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Apr 27, 2026 - 19:58 nvd

Patch available

Apr 24, 2026 - 19:01 EUVD

Re-analysis Queued

Apr 24, 2026 - 18:22 vuln.today

cvss_changed

Analysis Generated

Apr 24, 2026 - 18:15 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:00 euvd

EUVD-2026-25589

Analysis Generated

Apr 24, 2026 - 18:00 vuln.today

CVE Published

Apr 24, 2026 - 17:38 nvd

HIGH 7.4

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionNVD

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself - any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Prototype pollution in Axios 1.x (prior to 1.15.1) and 0.x (prior to 0.31.1) enables HTTP header injection attacks when any dependency in the application pollutes Object.prototype with specific properties (getHeaders, append, pipe, on, once, Symbol.toStringTag). Attackers exploit the HTTP adapter's duck-type checking to inject arbitrary headers into outbound HTTP requests, potentially leading to authentication bypass, session hijacking, or cache poisoning. …

RemediationAI

Within 24 hours: Inventory all applications and dependencies using Axios 0.x or 1.x (prior to 0.31.1 and 1.15.1 respectively) using Software Composition Analysis tools. Within 7 days: Upgrade Axios to version 1.15.1 or later for 1.x deployments, or 0.31.1 or later for 0.x deployments; prioritize applications with internet-facing endpoints. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory