CVE-2026-42035
Published: 24 April 2026
Summary
CVE-2026-42035 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Axios Axios. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Protocols (T1071.001); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires upgrading vulnerable Axios versions prior to 1.15.1/0.31.1 to fixed releases, directly eliminating the prototype pollution gadget.
Vulnerability scanning identifies systems using vulnerable Axios or dependencies enabling prototype pollution, allowing proactive remediation.
System component inventory, including third-party dependencies like Axios, reveals usage of vulnerable library versions across the application tree.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary HTTP header injection into Axios requests, facilitating web protocol usage and transmitted data manipulation.
NVD Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests.…
more
The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Deeper analysisAI
CVE-2026-42035 is a prototype pollution vulnerability in the Axios HTTP client library for browsers and Node.js, specifically within the HTTP adapter at lib/adapters/http.js. Versions prior to 1.15.1 and 0.31.1 are affected, where duck-type checking of data payloads can be exploited. If Object.prototype is polluted with methods such as getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios incorrectly identifies a plain object as a FormData instance and invokes the attacker-controlled getHeaders() function, allowing arbitrary HTTP headers to be merged into outgoing requests. The pollution source can originate from any dependency in the application's tree, not necessarily Axios itself.
A remote attacker with no privileges can exploit this by triggering prototype pollution through a vulnerable dependency, enabling injection of arbitrary headers into Axios-generated HTTP requests. This misidentification occurs during payload processing, compromising confidentiality and integrity (CVSS 7.4: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) without impacting availability. Exploitation requires high attack complexity, typically involving a chain from an initial prototype pollution primitive to Axios usage with a crafted plain object payload.
The GitHub security advisory (GHSA-6chq-wfr3-2hj9) confirms the issue is resolved in Axios versions 1.15.1 and 0.31.1, recommending immediate upgrades for affected installations. Practitioners should audit dependencies for prototype pollution risks and monitor for vulnerable Axios versions in browser and Node.js environments.
Details
- CWE(s)