CVE-2026-42264: Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

May 5, 2026

Five config properties in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request.

References

github.com/advisories/GHSA-q8qp-cvcw-x6jj
github.com/axios/axios
github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
nvd.nist.gov/vuln/detail/CVE-2026-42264

Code Behaviors & Features

Detect and mitigate CVE-2026-42264 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →