Intel

AIKIDO-2026-10509

axios is vulnerable to Prototype Pollution

Prototype PollutionCVE-2026-42033 Published Apr 20, 2026

74

High Risk

This Affects:

JSaxios
0.0.1 - 0.31.0
Fixed in 0.31.1
1.0.0 - 1.15.0
Fixed in 1.15.1
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to prototype pollution–based header injection due to unsafe FormData detection and header merging logic. The affected implementation may treat attacker-controlled plain objects as valid FormData instances and invoke inherited getHeaders methods from polluted prototypes, allowing malicious headers such as forged authorization values to be merged into outbound requests. In addition, query parameter encoding improperly handles null-byte values, which can lead to unexpected parameter transformations. An attacker able to influence object prototypes or request data can inject unauthorized headers or manipulate request processing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

axios is vulnerable to Prototype Pollution in versions 1.0.0 - 1.15.0 and 0.0.1 - 0.31.0.

How to fix this

Upgrade the axios library to the patch version.

Links

Other

access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:14937
access.redhat.com/errata/RHSA-2026:16476
https://access.redhat.com/errata/RHSA-2026:16476
access.redhat.com/errata/RHSA-2026:16532
https://access.redhat.com/errata/RHSA-2026:16532
access.redhat.com/errata/RHSA-2026:16534
https://access.redhat.com/errata/RHSA-2026:16534
access.redhat.com/errata/RHSA-2026:16535
https://access.redhat.com/errata/RHSA-2026:16535
access.redhat.com/errata/RHSA-2026:16542
https://access.redhat.com/errata/RHSA-2026:16542
access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:16874
access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:17468
access.redhat.com/errata/RHSA-2026:17474
https://access.redhat.com/errata/RHSA-2026:17474
access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:17657
access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:17699
access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:19109
access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19375
access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20889
access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:20938
access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:21017
access.redhat.com/errata/RHSA-2026:21338
https://access.redhat.com/errata/RHSA-2026:21338
access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:21772
access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22465
access.redhat.com/errata/RHSA-2026:22619
https://access.redhat.com/errata/RHSA-2026:22619
access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22629
access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:22840
access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:23361
access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:24536
access.redhat.com/errata/RHSA-2026:24539
https://access.redhat.com/errata/RHSA-2026:24539
access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24853
access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24977
access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:25041
access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:25089
access.redhat.com/errata/RHSA-2026:25271
https://access.redhat.com/errata/RHSA-2026:25271
access.redhat.com/errata/RHSA-2026:25273
https://access.redhat.com/errata/RHSA-2026:25273
access.redhat.com/errata/RHSA-2026:26214
https://access.redhat.com/errata/RHSA-2026:26214
access.redhat.com/errata/RHSA-2026:26225
https://access.redhat.com/errata/RHSA-2026:26225
access.redhat.com/errata/RHSA-2026:26232
https://access.redhat.com/errata/RHSA-2026:26232
access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:26234
access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:33574
access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36882
access.redhat.com/security/cve/CVE-2026-42033
https://access.redhat.com/security/cve/CVE-2026-42033
bugzilla.redhat.com/show_bug.cgi?id=2461607
https://bugzilla.redhat.com/show_bug.cgi?id=2461607
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42033.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42033.json