Cyber Resilience

CVE-2026-42035

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 15.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42035 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Axios Axios. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Protocols (T1071.001); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42035 is a prototype pollution vulnerability in the Axios HTTP client library for browsers and Node.js, specifically within the HTTP adapter at lib/adapters/http.js. Versions prior to 1.15.1 and 0.31.1 are affected, where duck-type checking of data payloads can be exploited. If Object.prototype is polluted with methods such as getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios incorrectly identifies a plain object as a FormData instance and invokes the attacker-controlled getHeaders() function, allowing arbitrary HTTP headers to be merged into outgoing requests. The pollution source can originate from any dependency in the application's tree, not necessarily Axios itself.

A remote attacker with no privileges can exploit this by triggering prototype pollution through a vulnerable dependency, enabling injection of arbitrary headers into Axios-generated HTTP requests. This misidentification occurs during payload processing, compromising confidentiality and integrity (CVSS 7.4: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) without impacting availability. Exploitation requires high attack complexity, typically involving a chain from an initial prototype pollution primitive to Axios usage with a crafted plain object payload.

The GitHub security advisory (GHSA-6chq-wfr3-2hj9) confirms the issue is resolved in Axios versions 1.15.1 and 0.31.1, recommending immediate upgrades for affected installations. Practitioners should audit dependencies for prototype pollution risks and monitor for vulnerable Axios versions in browser and Node.js environments.

EU & UK References

Vulnerability details

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests.…

more

The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1071.001 Web Protocols Command And Control
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability enables arbitrary HTTP header injection into Axios requests, facilitating web protocol usage and transmitted data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42033Same product: Axios Axios
CVE-2026-42044Same product: Axios Axios
CVE-2026-42264Same product: Axios Axios
CVE-2026-40175Same product: Axios Axios
CVE-2026-42039Same product: Axios Axios
CVE-2026-42038Same product: Axios Axios
CVE-2026-25639Same product: Axios Axios
CVE-2025-62718Same product: Axios Axios
CVE-2026-42043Same product: Axios Axios
CVE-2024-57965Same product: Axios Axios

Affected Assets

axios
axios
≤ 0.31.1 · 1.0.0 — 1.15.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires upgrading vulnerable Axios versions prior to 1.15.1/0.31.1 to fixed releases, directly eliminating the prototype pollution gadget.

detect

Vulnerability scanning identifies systems using vulnerable Axios or dependencies enabling prototype pollution, allowing proactive remediation.

detect

System component inventory, including third-party dependencies like Axios, reveals usage of vulnerable library versions across the application tree.

References