Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42041.json
https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63
https://bugzilla.redhat.com/show_bug.cgi?id=2461629
https://access.redhat.com/security/cve/CVE-2026-42041
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:26232
https://access.redhat.com/errata/RHSA-2026:26225
https://access.redhat.com/errata/RHSA-2026:26214
https://access.redhat.com/errata/RHSA-2026:25273
https://access.redhat.com/errata/RHSA-2026:25271
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24539
https://access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22619
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:21338
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:17474
https://access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:16542
https://access.redhat.com/errata/RHSA-2026:16535
https://access.redhat.com/errata/RHSA-2026:16534
https://access.redhat.com/errata/RHSA-2026:16532