Skip to main content

Axios EUVD-2026-25607

| CVE-2026-42042 MEDIUM
Permissive List of Allowed Inputs (CWE-183)
2026-04-24 GitHub_M GHSA-xx6v-rp6x-q39c
Node.js Information Disclosure Red Hat
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 20:05 nvd
Patch available
Patch available
Apr 24, 2026 - 20:17 EUVD
Analysis Generated
Apr 24, 2026 - 18:46 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 18:15 euvd
EUVD-2026-25607
Analysis Generated
Apr 24, 2026 - 18:15 vuln.today
CVE Published
Apr 24, 2026 - 18:03 nvd
MEDIUM 5.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Axios HTTP client versions prior to 1.15.1 and 0.31.1 use loose truthy/falsy comparison instead of strict boolean checks for the withXSRFToken config property, allowing XSRF tokens to be sent to cross-origin servers when the property is set to any truthy non-boolean value through prototype pollution or misconfiguration. This bypasses same-origin validation and enables attackers to exfiltrate XSRF tokens to attacker-controlled domains, compromising CSRF protection across applications using vulnerable versions.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Application vulnerable to prototype pollution
Delivery
Attacker injects truthy value into withXSRFToken property
Exploit
User loads poisoned JavaScript context
Install
User triggers Axios HTTP request
C2
Axios evaluates withXSRFToken as truthy, skips origin check
Execute
XSRF token transmitted to attacker-controlled cross-origin endpoint
Impact
Token exfiltrated, CSRF protection bypassed
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires one of the following specific conditions: (1) The consuming application is vulnerable to prototype pollution, and the attacker can inject a truthy non-boolean value into Object.prototype.withXSRFToken or directly into the Axios config object's withXSRFToken property, OR (2) A developer explicitly misconfigures withXSRFToken with a non-boolean truthy value such as a string (e.g., config.withXSRFToken = 'true' or 'always') or a number, instead of the intended boolean true. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents moderate real-world risk despite a CVSS score of 5.4 (medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies that a web application uses Axios and is vulnerable to prototype pollution via a user-controlled query parameter or form input. The attacker crafts a malicious request containing prototype pollution payload that sets Object.prototype.withXSRFToken to 'bypass' (a truthy non-boolean string). …
Remediation Upgrade Axios to version 1.15.1 or later for the 1.x branch, or 0.31.1 or later for the 0.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

Share

EUVD-2026-25607 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy