Axios CVE-2026-42035: Prototype Pollution Leads to Header Injection

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-113cwe-1321
Axios CVE-2026-42035: Prototype Pollution Leads to Header Injection

The National Vulnerability Database has disclosed CVE-2026-42035, a high-severity prototype pollution vulnerability in Axios, a widely used HTTP client for browsers and Node.js. This flaw, present in versions prior to 1.15.1 and 0.31.1, specifically targets the HTTP adapter (lib/adapters/http.js) and allows attackers to inject arbitrary HTTP headers into outgoing requests. The vulnerability is rated 7.4 (HIGH) on the CVSS scale.

The attack vector leverages Axios’s duck-type checking of data payloads. An attacker can pollute Object.prototype with specific functions (getHeaders, append, pipe, on, once, Symbol.toStringTag), causing Axios to misinterpret a plain object as a FormData instance. This then triggers a call to an attacker-controlled getHeaders() function, merging malicious headers into the outgoing request. Critically, the prototype pollution source doesn’t need to originate from Axios itself; any vulnerable dependency in the application’s tree is sufficient to trigger this gadget.

This vulnerability highlights the insidious nature of prototype pollution, which often flies under the radar until it’s chained with other application logic. For defenders, this isn’t just about Axios; it’s a reminder that a single, seemingly minor prototype pollution primitive anywhere in a complex dependency graph can have significant downstream consequences. The National Vulnerability Database reports this issue is fixed in Axios versions 1.15.1 and 0.31.1.

What This Means For You

  • If your organization uses Axios, immediately check your dependency tree for versions prior to 1.15.1 or 0.31.1. Prioritize patching to 1.15.1 or 0.31.1 to mitigate CVE-2026-42035. This vulnerability allows for arbitrary HTTP header injection, which attackers can leverage for session hijacking, bypassing security controls, or even initiating Server-Side Request Forgery (SSRF) attacks. Furthermore, audit your application's entire dependency graph for *any* prototype pollution primitives, as this Axios vulnerability can be triggered by pollution originating from other libraries.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-42035 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Persistence T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42035: Axios Prototype Pollution to Header Injection

Sigma YAML — free preview 
title: CVE-2026-42035: Axios Prototype Pollution to Header Injection
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
  Detects potential exploitation of CVE-2026-42035 by looking for requests targeting Axios with a query parameter indicative of prototype pollution leading to header injection. This rule specifically targets the vulnerability in the Axios HTTP adapter where an attacker can inject arbitrary HTTP headers into outgoing requests by polluting the Object.prototype.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42035/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/axios/'
      cs-uri-query|contains:
          - 'polluted_prototype=getHeaders'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42035 Code Injection Axios < 1.15.1
CVE-2026-42035 Code Injection Axios < 0.31.1
CVE-2026-42035 Code Injection Vulnerable component: lib/adapters/http.js
CVE-2026-42035 Code Injection Prototype pollution gadget allowing arbitrary HTTP header injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars

CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...

vulnerabilityCVEcriticalhigh-severitycwe-200
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....

vulnerabilityCVEhigh-severitycode-executioncwe-78cwe-79
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

4ga Boards Path Traversal Vulnerability Exposes Local Files (CVE-2026-41419)

CVE-2026-41419 — 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 3 Sigma