AIKIDO-2026-10741
axios is vulnerable to Prototype Pollution
82
High Risk
This Affects:
axiosTL;DR
The 0.x HTTP client merges configuration and headers in ways that historically supported prototype-chain lookups and loose object shape checks across adapters. Serialized errors could expose sensitive fields when logs or telemetry stringify error payloads. Node-side fetching treated proxy environment semantics and Unix socket paths with less enforcement than modern threat models expect. The release tightens merging and adapter reads with null-prototype merges and own-property checks, redacts sensitive keys during error serialization by default, improves NO_PROXY matching for IPv6-mapped forms, strips Proxy-Authorization when no proxy applies, gates socketPath behind an allowlist, and hardens URL parameter encoding.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
axios is vulnerable to Prototype Pollution in versions 0.0.1 - 0.31.1 and 1.0.0 - 1.15.2.
How to fix this
Upgrade the axios library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant