CVE-2026-42041 Overview
CVE-2026-42041 is a Prototype Pollution "Gadget" vulnerability in Axios, a popular promise-based HTTP client for browser and Node.js environments. This vulnerability allows attackers to leverage any existing Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This effectively bypasses application-level authentication and error handling mechanisms.
Critical Impact
When exploited in conjunction with a prototype pollution vulnerability, this gadget allows attackers to completely bypass authentication mechanisms and error handling by making all HTTP status codes appear successful to the application.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Applications using Axios in Node.js environments
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-42041 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42041
Vulnerability Analysis
This vulnerability represents a Prototype Pollution Gadget attack vector within the Axios HTTP client library. Unlike a direct prototype pollution vulnerability, this is a "gadget" that amplifies the impact of any existing prototype pollution vulnerability in the application's dependency chain.
The vulnerability enables attackers to manipulate HTTP response handling at a fundamental level. When the Object prototype is polluted with a malicious validateStatus function, all HTTP responses—including authentication failures (401), authorization denials (403), and server errors (500)—are incorrectly treated as successful responses. This silent suppression of error states can lead to severe security bypasses, particularly in applications relying on HTTP status codes for authentication and authorization decisions.
Root Cause
The root cause lies in how Axios handles the validateStatus configuration property. This property uniquely uses the mergeDirectKeys merge strategy, which employs JavaScript's in operator to check for property existence. The in operator inherently traverses the prototype chain, meaning it will find properties defined on Object.prototype.
When an attacker pollutes Object.prototype.validateStatus with a function that returns true for all status codes (e.g., () => true), the polluted property is discovered during the merge process and applied to all Axios requests. This causes every HTTP response, regardless of its actual status code, to be treated as a successful response.
Attack Vector
The attack vector is network-based and requires the attacker to first establish a prototype pollution condition in the target application. This could be achieved through various means such as vulnerable dependencies, user-controlled JSON parsing, or other prototype pollution vulnerabilities in the application stack.
Once prototype pollution is achieved, the attacker pollutes Object.prototype.validateStatus with a function that always returns true. From that point forward, all Axios HTTP requests in the application will treat error responses as successful, potentially allowing:
- Bypassing authentication checks that rely on 401 responses
- Circumventing authorization controls expecting 403 responses
- Ignoring server-side validation errors
- Masking critical server errors that should halt processing
The vulnerability mechanism works as follows: When Axios merges configuration options, it uses the in operator to check if validateStatus exists. Since the in operator checks the entire prototype chain, it finds the polluted validateStatus on Object.prototype and uses it instead of the default validation logic. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-42041
Indicators of Compromise
- Unexpected successful responses from API endpoints that should return errors
- Authentication flows completing successfully without proper credentials
- Application logs showing successful API calls where server-side logs indicate error responses
- Absence of expected error handling code paths being executed
Detection Strategies
- Monitor for discrepancies between server-side access logs (showing 401/403/500 responses) and client-side application behavior treating these as successful
- Implement server-side logging and alerting that doesn't rely on client-side error handling
- Use Software Composition Analysis (SCA) tools to identify vulnerable Axios versions in your dependency tree
- Audit your application's dependencies for known prototype pollution vulnerabilities that could enable this gadget
Monitoring Recommendations
- Implement backend instrumentation to track HTTP response codes independently of client-side handling
- Set up alerts for unusual patterns of "successful" authentications from suspicious sources
- Monitor for prototype pollution attempts in user-supplied JSON data
- Review dependency audit reports for both Axios version compliance and prototype pollution vulnerabilities in other packages
How to Mitigate CVE-2026-42041
Immediate Actions Required
- Upgrade Axios to version 1.15.1 or later for the 1.x branch
- Upgrade Axios to version 0.31.1 or later for the 0.x branch
- Audit your application's dependencies for prototype pollution vulnerabilities
- Implement server-side validation that doesn't rely solely on client-side error handling
Patch Information
The vulnerability has been fixed in Axios versions 1.15.1 and 0.31.1. The patch modifies how the validateStatus configuration property is merged, preventing prototype chain traversal from affecting the validation behavior. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Explicitly set validateStatus in all Axios request configurations to prevent prototype pollution from affecting validation
- Implement Object.freeze on Object.prototype in controlled environments (note: this may break some libraries)
- Use Object.create(null) for objects that process untrusted user input
- Implement secondary server-side checks that don't rely on client-side HTTP status handling
# Update Axios to patched version
npm update axios@1.15.1
# Or for yarn users
yarn upgrade axios@1.15.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
