CVE-2026-42033: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

May 5, 2026

When Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process – lodash < 4.17.21, or any of several other common npm packages with known PP vectors. The two gadgets confirmed here work independently.

References

github.com/advisories/GHSA-pf86-5x62-jrwf
github.com/axios/axios
github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf
nvd.nist.gov/vuln/detail/CVE-2026-42033

Code Behaviors & Features

Detect and mitigate CVE-2026-42033 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →