CVE-2026-42042 Overview
Axios, a widely-used promise-based HTTP client for both browser and Node.js environments, contains a vulnerability in its XSRF (Cross-Site Request Forgery) token protection mechanism. Prior to versions 1.15.1 and 0.31.1, the library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker.
Critical Impact
Attackers can exploit this vulnerability to intercept XSRF tokens intended for same-origin requests, potentially enabling cross-site request forgery attacks against applications using affected Axios versions.
Affected Products
- Axios versions prior to 1.15.1
- Axios versions prior to 0.31.1
- Applications using Axios in Node.js environments
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-42042 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42042
Vulnerability Analysis
This vulnerability stems from improper input validation in the Axios library's XSRF token handling logic. The core issue lies in how the withXSRFToken configuration property is evaluated. JavaScript's truthy/falsy evaluation model treats any non-falsy value (including non-boolean truthy values like non-empty strings, objects, or numbers) as logically true.
When an application or attacker (via prototype pollution) sets withXSRFToken to a truthy non-boolean value, the library incorrectly bypasses its built-in same-origin validation check performed by the isURLSameOrigin function. This bypass results in XSRF tokens being attached to HTTP requests destined for cross-origin servers, potentially exposing sensitive authentication tokens to malicious third-party endpoints.
The vulnerability is particularly concerning in scenarios where prototype pollution is achievable, as attackers could inject the malicious withXSRFToken property into the configuration object prototype, affecting all subsequent Axios requests made by the application.
Root Cause
The root cause is the use of JavaScript truthy evaluation (if (withXSRFToken)) rather than strict boolean comparison (if (withXSRFToken === true)) when determining whether to apply XSRF token protection logic. This permissive type coercion allows non-boolean truthy values to trigger unexpected code paths that skip the same-origin security check.
Attack Vector
The vulnerability is exploitable via network-based attacks that require user interaction. An attacker can leverage this flaw through two primary attack vectors:
Prototype Pollution: If the target application has a separate prototype pollution vulnerability, an attacker can inject a truthy value for withXSRFToken into the Object prototype, causing all Axios instances to leak XSRF tokens to arbitrary endpoints.
Misconfiguration Exploitation: Applications that inadvertently set withXSRFToken to truthy non-boolean values (such as strings or configuration objects) will unintentionally expose XSRF tokens in cross-origin requests.
The attack results in XSRF tokens being sent to attacker-controlled servers, which can then be used to forge authenticated requests against the victim application.
Detection Methods for CVE-2026-42042
Indicators of Compromise
- Unexpected outbound HTTP requests containing XSRF tokens to external domains
- Axios configuration objects with non-boolean truthy values for withXSRFToken
- Evidence of prototype pollution attacks modifying Object.prototype with XSRF-related properties
- Network traffic showing authentication headers being sent to unrecognized third-party servers
Detection Strategies
- Audit application code for Axios configurations where withXSRFToken is set to non-boolean values
- Implement Content Security Policy (CSP) headers to monitor and restrict cross-origin requests
- Review network logs for XSRF tokens appearing in requests to unexpected destinations
- Use static analysis tools to detect improper type handling in security-sensitive configuration properties
Monitoring Recommendations
- Monitor outbound HTTP traffic for authentication tokens being sent to untrusted domains
- Implement runtime checks for prototype pollution attempts targeting configuration objects
- Set up alerts for unusual cross-origin request patterns from client-side applications
- Review dependency management systems for vulnerable Axios versions in production deployments
How to Mitigate CVE-2026-42042
Immediate Actions Required
- Upgrade Axios to version 1.15.1 or later (for 1.x branch)
- Upgrade Axios to version 0.31.1 or later (for 0.x branch)
- Audit existing Axios configurations to ensure withXSRFToken is set to explicit boolean values only
- Implement prototype pollution protections such as Object.freeze() on critical configuration objects
Patch Information
The vulnerability has been addressed in Axios versions 1.15.1 and 0.31.1. The fix implements strict boolean comparison for the withXSRFToken configuration property, ensuring that only explicit true values trigger the XSRF token attachment logic. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Explicitly set withXSRFToken: true or withXSRFToken: false using boolean literals in all Axios configurations
- Implement a wrapper function that validates and sanitizes Axios configuration objects before use
- Use Object.freeze() on Axios default configuration to prevent prototype pollution attacks
- Implement server-side validation to reject XSRF tokens from unexpected origins
# Update Axios to patched version
npm update axios@1.15.1
# Or for 0.x branch
npm update axios@0.31.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
