Skip to main content

Axios EUVDEUVD-2026-25589

| CVE-2026-42035 HIGH
HTTP Response Splitting (CWE-113)
2026-04-24 GitHub_M GHSA-6chq-wfr3-2hj9
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 19:58 nvd
Patch available
Patch available
Apr 24, 2026 - 19:01 EUVD
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 18:15 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 18:00 euvd
EUVD-2026-25589
Analysis Generated
Apr 24, 2026 - 18:00 vuln.today
CVE Published
Apr 24, 2026 - 17:38 nvd
HIGH 7.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself - any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Prototype pollution in Axios 1.x (prior to 1.15.1) and 0.x (prior to 0.31.1) enables HTTP header injection attacks when any dependency in the application pollutes Object.prototype with specific properties (getHeaders, append, pipe, on, once, Symbol.toStringTag). Attackers exploit the HTTP adapter's duck-type checking to inject arbitrary headers into outbound HTTP requests, potentially leading to authentication bypass, session hijacking, or cache poisoning. EPSS data unavailable; no confirmed active exploitation (CISA KEV) at time of analysis. Publicly available exploit code exists per vendor advisory GHSA-6chq-wfr3-2hj9.

Technical ContextAI

Axios is a widely-used promise-based HTTP client for browser and Node.js environments. This vulnerability (CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers) resides in lib/adapters/http.js, which handles Node.js HTTP/HTTPS requests. The code performs duck-type checking to identify FormData payloads by testing for specific methods and properties. When Object.prototype is polluted with getHeaders (function), append, pipe, on, once (functions), and Symbol.toStringTag (value), Axios misidentifies plain JavaScript objects as FormData instances. The vulnerable adapter then calls the attacker-controlled getHeaders() function and merges returned values into the outgoing request's headers object. This is a gadget vulnerability-the prototype pollution primitive can originate from any library in the dependency chain (lodash, jQuery, etc.), not Axios itself. The attack surface includes any Node.js application using vulnerable Axios versions where prototype pollution exists anywhere in the dependency tree.

RemediationAI

Upgrade to Axios 1.15.1 or later for 1.x users, or 0.31.1 or later for 0.x users. Vendor-released patches available via npm (npm update axios) or yarn (yarn upgrade axios). Consult vendor advisory at https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9 for migration guidance. If immediate upgrade is not feasible, implement defense-in-depth prototype pollution protections: freeze Object.prototype using Object.freeze(Object.prototype) at application bootstrap (side effect: breaks libraries relying on prototype extension), use --frozen-intrinsics flag in Node.js 20+ (performance overhead ~5-10%), or implement Content-Security-Policy headers and input validation to block known pollution vectors (reduces but does not eliminate risk). Additionally, audit dependency tree for known prototype pollution vulnerabilities using npm audit or Snyk, and prioritize remediation of pollution primitives that serve as prerequisites for this gadget. Note that mitigating pollution sources eliminates the attack prerequisite but does not fix the Axios gadget itself.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

EUVD-2026-25589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy