Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42044.json
https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23
https://bugzilla.redhat.com/show_bug.cgi?id=2461624
https://access.redhat.com/security/cve/CVE-2026-42044
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36107
https://access.redhat.com/errata/RHSA-2026:34608
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:26232
https://access.redhat.com/errata/RHSA-2026:26225
https://access.redhat.com/errata/RHSA-2026:26214
https://access.redhat.com/errata/RHSA-2026:25273
https://access.redhat.com/errata/RHSA-2026:25271
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24539
https://access.redhat.com/errata/RHSA-2026:24536
https://access.redhat.com/errata/RHSA-2026:24473
https://access.redhat.com/errata/RHSA-2026:24471
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:21338
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20454
https://access.redhat.com/errata/RHSA-2026:20338
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19109
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:16542
https://access.redhat.com/errata/RHSA-2026:16535