CVE-2026-44494

high

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44494.json

https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh

https://bugzilla.redhat.com/show_bug.cgi?id=2487942

https://access.redhat.com/security/cve/CVE-2026-44494

https://access.redhat.com/errata/RHSA-2026:34530

https://access.redhat.com/errata/RHSA-2026:34527

https://access.redhat.com/errata/RHSA-2026:34525

https://access.redhat.com/errata/RHSA-2026:33574

https://access.redhat.com/errata/RHSA-2026:33183

https://access.redhat.com/errata/RHSA-2026:33173

https://access.redhat.com/errata/RHSA-2026:33163

https://access.redhat.com/errata/RHSA-2026:33160

https://access.redhat.com/errata/RHSA-2026:33155

https://access.redhat.com/errata/RHSA-2026:33005

https://access.redhat.com/errata/RHSA-2026:30651

https://access.redhat.com/errata/RHSA-2026:30650

https://access.redhat.com/errata/RHSA-2026:29864

https://access.redhat.com/errata/RHSA-2026:29800

https://access.redhat.com/errata/RHSA-2026:29197

https://access.redhat.com/errata/RHSA-2026:29082

https://access.redhat.com/errata/RHSA-2026:28964

https://access.redhat.com/errata/RHSA-2026:27044

https://access.redhat.com/errata/RHSA-2026:26234

https://access.redhat.com/errata/RHSA-2026:20938

https://access.redhat.com/errata/RHSA-2026:20889

Details

Source: Mitre, NVD

Published: 2026-06-11

Updated: 2026-07-02

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.7

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.00035