Skip to main content

Axios HTTP Client EUVD-2026-25606

| CVE-2026-42041 MEDIUM
Improper Authentication (CWE-287)
2026-04-24 GitHub_M GHSA-w9j2-pvgh-6h63
Node.js Authentication Bypass Red Hat Suse
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 20:07 nvd
Patch available
Patch available
Apr 24, 2026 - 20:17 EUVD
Analysis Generated
Apr 24, 2026 - 18:46 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 18:15 euvd
EUVD-2026-25606
Analysis Generated
Apr 24, 2026 - 18:15 vuln.today
CVE Published
Apr 24, 2026 - 17:55 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator - an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Prototype pollution in Axios library versions prior to 1.15.1 and 0.31.1 allows remote attackers to suppress HTTP error responses via pollution of Object.prototype.validateStatus, causing authentication failures and server errors to be silently treated as successful responses. The vulnerability requires high attack complexity (prototype pollution gadget chain) but enables complete bypass of application-level authentication and error handling without user interaction.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify prototype pollution source
Delivery
Pollute Object.prototype.validateStatus
Exploit
Trigger HTTP request in Axios
Execution
validateStatus resolves to polluted function
Persist
Error response accepted as success
Impact
Authentication bypass achieved
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions: first, a separate prototype pollution vulnerability must exist in the application or one of its dependencies (this CVE is the payload, not the initial vector); second, the vulnerable Axios version must be invoked to make HTTP requests after the prototype pollution occurs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.8 reflects network attack vector but high complexity (AC:H), indicating prototype pollution attacks are not trivial to execute in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker exploits a separate prototype pollution vulnerability in the target application (e.g., via unsafe JSON parsing or object merge) to set Object.prototype.validateStatus to a function returning true. Subsequently, when the application makes an HTTP request using vulnerable Axios to an API that returns a 401 Unauthorized or 403 Forbidden response, Axios evaluates validateStatus without finding the property on the response config object itself, then checks the prototype chain via the in operator, finds the polluted function, executes it, and treats the error response as success. …
Remediation Upgrade Axios to version 1.15.1 or later (for 1.x series) or version 0.31.1 or later (for 0.x series). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25606 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy