Axios Prototype Pollution: Critical Vulnerability Exposes HTTP Requests

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-1321
Axios Prototype Pollution: Critical Vulnerability Exposes HTTP Requests

The National Vulnerability Database has detailed CVE-2026-42264, a high-severity prototype pollution vulnerability affecting Axios, a widely used promise-based HTTP client for both browser and Node.js environments. Versions 1.0.0 through 1.15.1 are impacted. The flaw allows five critical configuration properties—auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser—to be read without proper hasOwnProperty guards.

This vulnerability means that if another dependency in the same process pollutes Object.prototype, Axios will silently pick up these malicious values for every outbound HTTP request. Attackers can hijack or manipulate critical request parameters, potentially leading to data exfiltration, unauthorized access, or command injection, depending on the polluted property. The National Vulnerability Database assigns a CVSSv3.1 score of 7.4 (High) to this issue, highlighting its severe impact on confidentiality and integrity.

Defenders must understand that this isn’t a direct Axios exploit but rather a silent amplification of existing prototype pollution in the environment. The fix is available in Axios version 1.15.2. Organizations relying on Axios for their web applications or backend services need to prioritize this patch to neutralize the risk of their HTTP requests being compromised by seemingly unrelated third-party library vulnerabilities.

What This Means For You

  • If your applications or services use Axios, immediately audit your dependency tree. Prioritize upgrading Axios to version 1.15.2 or later to mitigate CVE-2026-42264. This isn't just about Axios; it's about how other dependencies can silently compromise core functionality. Ensure your supply chain security practices account for transitive prototype pollution.

Related ATT&CK Techniques

T1508.002 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1204.002 User Execution: Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1059.004 Execution

CVE-2026-42264 - Axios Prototype Pollution via HTTP Adapter Properties

Sigma YAML — free preview 
title: CVE-2026-42264 - Axios Prototype Pollution via HTTP Adapter Properties
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects the execution of Node.js with the --eval flag, which could be used to execute arbitrary JavaScript code. This rule specifically targets the potential for CVE-2026-42264 exploitation where prototype pollution in Axios can lead to the manipulation of HTTP requests. The vulnerability lies in Axios versions prior to 1.15.2, where specific config properties are vulnerable to prototype pollution, allowing attackers to influence outbound HTTP requests when Object.prototype is polluted.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42264/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'node.exe'
      CommandLine|contains:
          - '--eval'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42264 Prototype Pollution Axios versions 1.0.0 to 1.15.1
CVE-2026-42264 Prototype Pollution Axios config properties: auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser
CVE-2026-42264 Patch Upgrade Axios to version 1.15.2 or later

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma