CVE-2026-42044

critical

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42044.json

https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23

https://bugzilla.redhat.com/show_bug.cgi?id=2461624

https://access.redhat.com/security/cve/CVE-2026-42044

https://access.redhat.com/errata/RHSA-2026:36882

https://access.redhat.com/errata/RHSA-2026:36107

https://access.redhat.com/errata/RHSA-2026:34608

https://access.redhat.com/errata/RHSA-2026:33574

https://access.redhat.com/errata/RHSA-2026:26234

https://access.redhat.com/errata/RHSA-2026:26232

https://access.redhat.com/errata/RHSA-2026:26225

https://access.redhat.com/errata/RHSA-2026:26214

https://access.redhat.com/errata/RHSA-2026:25273

https://access.redhat.com/errata/RHSA-2026:25271

https://access.redhat.com/errata/RHSA-2026:25089

https://access.redhat.com/errata/RHSA-2026:25041

https://access.redhat.com/errata/RHSA-2026:24853

https://access.redhat.com/errata/RHSA-2026:24539

https://access.redhat.com/errata/RHSA-2026:24536

https://access.redhat.com/errata/RHSA-2026:24473

https://access.redhat.com/errata/RHSA-2026:24471

https://access.redhat.com/errata/RHSA-2026:23361

https://access.redhat.com/errata/RHSA-2026:22840

https://access.redhat.com/errata/RHSA-2026:22629

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:21772

https://access.redhat.com/errata/RHSA-2026:21338

https://access.redhat.com/errata/RHSA-2026:21017

https://access.redhat.com/errata/RHSA-2026:20938

https://access.redhat.com/errata/RHSA-2026:20889

https://access.redhat.com/errata/RHSA-2026:20454

https://access.redhat.com/errata/RHSA-2026:20338

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19109

https://access.redhat.com/errata/RHSA-2026:17699

https://access.redhat.com/errata/RHSA-2026:17657

https://access.redhat.com/errata/RHSA-2026:16542

https://access.redhat.com/errata/RHSA-2026:16535

https://access.redhat.com/errata/RHSA-2026:16534

https://access.redhat.com/errata/RHSA-2026:16532

Details

Source: Mitre, NVD

Published: 2026-04-24

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.0003