CVE-2026-42264 Overview
CVE-2026-42264 is a prototype pollution vulnerability in the Axios HTTP client library affecting versions 1.0.0 through 1.15.1. Axios is a promise-based HTTP client widely used in Node.js applications. The flaw resides in the HTTP adapter, where five configuration properties are read via direct property access without hasOwnProperty guards. When Object.prototype is polluted elsewhere in the process, Axios silently inherits attacker-controlled values on every outbound HTTP request. The affected properties are auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser. The issue is tracked under [CWE-1321] and was patched in version 1.15.2.
Critical Impact
Attackers who pollute Object.prototype through any dependency in the same Node.js process can redirect outbound HTTP requests, inject authentication credentials, disable TLS-related parser protections, and hijack redirect handling.
Affected Products
- Axios versions 1.0.0 through 1.15.1 (Node.js)
- Applications using the Axios HTTP adapter on Node.js
- Downstream packages bundling vulnerable Axios versions
Discovery Timeline
- 2026-05-08 - CVE-2026-42264 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42264
Vulnerability Analysis
The vulnerability stems from unsafe property reads inside the Node.js HTTP adapter at lib/adapters/http.js. Axios accesses configuration properties such as config.auth, config.baseURL, config.socketPath, config.beforeRedirect, and config.insecureHTTPParser directly. JavaScript property reads traverse the prototype chain, so any value set on Object.prototype becomes visible to these reads. If another dependency in the same process pollutes the prototype, Axios silently picks up those values on every outbound request. The attacker does not need to control the Axios call site itself.
Root Cause
The config object passed through mergeConfig was a plain object inheriting from Object.prototype. Combined with missing hasOwnProperty checks on the five exploitable properties, polluted prototype values flowed directly into request construction. The fix introduces a null-prototype config object and routes property access through an own() helper that enforces ownership checks.
Attack Vector
Exploitation requires a co-resident prototype pollution gadget in the same Node.js process. Once Object.prototype is polluted, an attacker can set baseURL to redirect requests to an attacker-controlled host, inject auth to leak credentials, set socketPath to route traffic through a Unix socket, override beforeRedirect to execute attacker-supplied callbacks, or enable insecureHTTPParser to relax parser strictness for request smuggling. The attack vector is network-reachable because triggering depends on the application issuing outbound HTTP calls.
// Patch excerpt from lib/adapters/http.js
// HTTP basic authentication
let auth = undefined;
// Before: direct prototype-chain read
// if (config.auth) {
// const username = config.auth.username || '';
// const password = config.auth.password || '';
// After: own-property guarded read
const configAuth = own('auth');
if (configAuth) {
const username = configAuth.username || '';
const password = configAuth.password || '';
auth = username + ':' + password;
}
Source: Axios commit 47915144
// Patch excerpt from lib/core/mergeConfig.js
// Use a null-prototype object so that downstream reads such as `config.auth`
// or `config.baseURL` cannot inherit polluted values from Object.prototype
// (see GHSA-q8qp-cvcw-x6jj).
const config = Object.create(null);
Object.defineProperty(config, 'hasOwnProperty', {
value: Object.prototype.hasOwnProperty,
enumerable: false,
writable: true,
configurable: true,
});
Source: Axios commit 47915144
Detection Methods for CVE-2026-42264
Indicators of Compromise
- Outbound HTTP requests from Node.js services to unexpected hosts that do not match the application's configured baseURL
- Unexpected Authorization: Basic headers on requests that should be unauthenticated
- Requests routed through unfamiliar Unix socketPath values in process telemetry
- Redirect handling deviations such as new follow-redirect destinations or modified headers
Detection Strategies
- Inventory package-lock.json and yarn.lock files for Axios versions earlier than 1.15.2
- Run npm ls axios across build pipelines to surface transitive vulnerable copies
- Monitor Node.js processes for runtime prototype pollution using tools that hook Object.defineProperty and writes to __proto__
- Correlate egress proxy logs with expected destinations declared by application configuration
Monitoring Recommendations
- Capture and alert on anomalous outbound destinations from server-side Node.js workloads
- Log Axios request configuration at the application layer to detect unexpected socketPath or insecureHTTPParser values
- Track dependency drift using software composition analysis tied to CI/CD gates
How to Mitigate CVE-2026-42264
Immediate Actions Required
- Upgrade Axios to version 1.15.2 or later across all production and development dependencies
- Audit transitive dependencies that may bundle older Axios versions and force resolution to the patched release
- Review the codebase for other prototype pollution sinks that could chain with this gadget
Patch Information
The fix is included in Axios 1.15.2. See the GitHub Security Advisory GHSA-q8qp-cvcw-x6jj, the merged pull request #10779, and the v1.15.2 release notes. The patch replaces the merged config with a null-prototype object and routes sensitive property reads through an own() helper enforcing hasOwnProperty semantics.
Workarounds
- Freeze Object.prototype early in process startup using Object.freeze(Object.prototype) to block runtime pollution
- Run Node.js with --disable-proto=delete to remove the __proto__ accessor on objects
- Explicitly pass a null-prototype config object to Axios calls in security-sensitive paths until upgrade completes
# Upgrade Axios across the project and enforce resolution
npm install axios@^1.15.2
npm dedupe
npm ls axios
# Optional runtime hardening for Node.js entrypoints
node --disable-proto=delete app.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
