CVE-2026-42035 Overview
A prototype pollution gadget vulnerability has been discovered in Axios, a widely-used promise-based HTTP client for browsers and Node.js. This vulnerability exists in the Axios HTTP adapter (lib/adapters/http.js) and allows attackers to inject arbitrary HTTP headers into outgoing requests through prototype pollution exploitation.
The vulnerability exploits duck-type checking of the data payload. When Object.prototype is polluted with specific properties (getHeaders, append, pipe, on, once, and Symbol.toStringTag), Axios incorrectly identifies any plain object payload as a FormData instance. This misidentification causes Axios to call the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request.
Critical Impact
Attackers can inject arbitrary HTTP headers into outgoing requests, potentially leading to authentication bypass, cache poisoning, or exploitation of downstream services through HTTP Response Splitting (CWE-113).
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Any application using Axios with a prototype pollution primitive in its dependency tree
Discovery Timeline
- April 24, 2026 - CVE-2026-42035 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-42035
Vulnerability Analysis
The vulnerability is classified as HTTP Response Splitting (CWE-113) and stems from an insecure duck-typing implementation in the Axios HTTP adapter. The vulnerable code resides exclusively in lib/adapters/http.js, where Axios attempts to determine if a request payload is a FormData instance by checking for the presence of specific methods and properties rather than using proper type checking mechanisms.
When processing outgoing HTTP requests, Axios checks whether the data payload has certain FormData-like properties. If all required properties are present on the object (either directly or through prototype chain), Axios treats the payload as FormData and invokes its getHeaders() method to merge custom headers into the request. An attacker who can pollute Object.prototype with these properties can cause Axios to treat any plain object as FormData and execute attacker-controlled code.
Critically, the prototype pollution source does not need to originate from Axios itself. Any prototype pollution primitive in any dependency within the application's dependency tree is sufficient to trigger this gadget. This makes the vulnerability particularly dangerous in complex Node.js applications with extensive dependency trees.
Root Cause
The root cause is insufficient type validation when determining whether a request payload is a FormData instance. Instead of using proper type checking mechanisms like instanceof checks or comparing constructor references, the code relies on duck-type checking that examines the presence of specific properties. This approach is inherently vulnerable to prototype pollution attacks because properties can be injected into the prototype chain of all objects.
The vulnerable pattern checks for the existence of methods (getHeaders, append, pipe, on, once) and the Symbol.toStringTag property, all of which can be polluted on Object.prototype by an attacker with access to a prototype pollution primitive elsewhere in the application.
Attack Vector
The attack follows a two-stage exploitation pattern. First, an attacker must achieve prototype pollution through any vulnerability in the application or its dependencies. This could be through insecure object merging, JSON parsing vulnerabilities, or other common prototype pollution vectors.
Once Object.prototype is polluted with the required properties, any subsequent Axios request with a plain object payload will trigger the gadget. The attacker-controlled getHeaders() function executes, returning arbitrary headers that get merged into the outgoing HTTP request.
This attack vector is network-accessible and requires no user interaction, though it does require the presence of a prototype pollution primitive in the target application. The injected headers can be used for various attacks including HTTP response splitting, cache poisoning, authentication header injection, or manipulation of security-sensitive headers.
Detection Methods for CVE-2026-42035
Indicators of Compromise
- Unexpected HTTP headers appearing in outgoing requests from Node.js applications using Axios
- Anomalous values in Object.prototype containing functions like getHeaders, append, pipe, on, or once
- Evidence of prototype pollution attacks in application logs or WAF alerts
- Downstream services reporting malformed or suspicious HTTP headers from Axios-based clients
Detection Strategies
- Monitor application dependencies using software composition analysis (SCA) tools to identify vulnerable Axios versions
- Implement runtime prototype pollution detection to alert on modifications to Object.prototype
- Use application security monitoring to detect unusual patterns in outgoing HTTP requests
- Deploy intrusion detection rules that identify HTTP response splitting patterns in request headers
Monitoring Recommendations
- Enable detailed logging for outgoing HTTP requests in Axios-based applications to capture header modifications
- Implement integrity monitoring for core JavaScript prototypes (Object.prototype, Array.prototype)
- Monitor dependency audit reports for prototype pollution vulnerabilities in the application's dependency tree
- Configure alerting for any SCA tool findings related to Axios versions prior to the patched releases
How to Mitigate CVE-2026-42035
Immediate Actions Required
- Update Axios to version 1.15.1 or later if using the 1.x branch
- Update Axios to version 0.31.1 or later if using the 0.x branch
- Audit the application's dependency tree for other prototype pollution vulnerabilities
- Review and harden any code that performs object merging or property assignment
Patch Information
The vulnerability has been fixed in Axios versions 1.15.1 and 0.31.1. The fix implements proper type checking to prevent prototype pollution gadgets from being triggered. Users should update to these versions or later immediately.
For detailed information about the fix, see the GitHub Security Advisory GHSA-6chq-wfr3-2hj9.
Workarounds
- Freeze Object.prototype using Object.freeze(Object.prototype) if application compatibility allows
- Implement prototype pollution prevention by using Object.create(null) for objects that receive untrusted input
- Consider using defensive coding patterns that check hasOwnProperty before accessing potentially polluted properties
- Audit and update all dependencies to minimize prototype pollution attack surface
# Update Axios to patched version
npm update axios@1.15.1
# Or for 0.x branch users
npm update axios@0.31.1
# Audit dependencies for related vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
