CVE-2026-42041

medium

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42041.json

https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63

https://bugzilla.redhat.com/show_bug.cgi?id=2461629

https://access.redhat.com/security/cve/CVE-2026-42041

https://access.redhat.com/errata/RHSA-2026:36882

https://access.redhat.com/errata/RHSA-2026:33574

https://access.redhat.com/errata/RHSA-2026:26234

https://access.redhat.com/errata/RHSA-2026:26232

https://access.redhat.com/errata/RHSA-2026:26225

https://access.redhat.com/errata/RHSA-2026:26214

https://access.redhat.com/errata/RHSA-2026:25273

https://access.redhat.com/errata/RHSA-2026:25271

https://access.redhat.com/errata/RHSA-2026:25089

https://access.redhat.com/errata/RHSA-2026:25041

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:24853

https://access.redhat.com/errata/RHSA-2026:24539

https://access.redhat.com/errata/RHSA-2026:24536

https://access.redhat.com/errata/RHSA-2026:23361

https://access.redhat.com/errata/RHSA-2026:22840

https://access.redhat.com/errata/RHSA-2026:22629

https://access.redhat.com/errata/RHSA-2026:22619

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:21772

https://access.redhat.com/errata/RHSA-2026:21338

https://access.redhat.com/errata/RHSA-2026:21017

https://access.redhat.com/errata/RHSA-2026:20938

https://access.redhat.com/errata/RHSA-2026:20889

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19109

https://access.redhat.com/errata/RHSA-2026:17699

https://access.redhat.com/errata/RHSA-2026:17657

https://access.redhat.com/errata/RHSA-2026:17474

https://access.redhat.com/errata/RHSA-2026:17468

https://access.redhat.com/errata/RHSA-2026:16874

https://access.redhat.com/errata/RHSA-2026:16542

https://access.redhat.com/errata/RHSA-2026:16535

https://access.redhat.com/errata/RHSA-2026:16534

https://access.redhat.com/errata/RHSA-2026:16532

https://access.redhat.com/errata/RHSA-2026:16476

https://access.redhat.com/errata/RHSA-2026:14937

Details

Source: Mitre, NVD

Published: 2026-04-24

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.0004