CVE-2026-42044
Published: 24 April 2026
Summary
CVE-2026-42044 is a medium-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Axios Axios. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like the prototype pollution gadget in Axios by upgrading to version 1.15.2 or later.
Mandates vulnerability scanning that would identify the Axios library's exposure to CVE-2026-42044 in the dependency tree.
Requires receiving, reviewing, and acting on security advisories like GHSA-3w6x-2g7m-8v23 for this Axios vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The Axios prototype pollution gadget directly enables targeted modifications to parsed JSON responses (e.g., privilege escalation or authorization bypass via altered API data), facilitating transmitted data manipulation once Object.prototype pollution is achieved.
NVD Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be…
more
escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Deeper analysisAI
CVE-2026-42044 is a Prototype Pollution "Gadget" vulnerability in the Axios library, a promise-based HTTP client used in browser and Node.js environments. It affects versions from 1.0.0 up to but not including 1.15.2. The issue stems from the default transformResponse function in lib/defaults/index.js at line 124, which invokes JSON.parse(data, this.parseReviver) using the merged config object as 'this'. Since parseReviver is absent from Axios defaults, unvalidated by assertOptions, and unconstrained, a polluted Object.prototype.parseReviver can be executed for every key-value pair in JSON responses, enabling targeted modifications.
A remote unauthenticated attacker can exploit this if they first achieve Object.prototype pollution anywhere in the application's dependency tree, a condition reflected in the high attack complexity (CVSS 6.5: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N). Once polluted, the gadget allows surgical, undetectable alterations to all JSON API responses processed by Axios, such as privilege escalation, balance manipulation in financial apps, or authorization bypass, while leaving other response data intact.
The GitHub security advisory (GHSA-3w6x-2g7m-8v23) confirms the vulnerability and states it is fixed in Axios version 1.15.2. Security practitioners should upgrade to 1.15.2 or later and audit dependencies for prototype pollution risks (related to CWE-915 and CWE-1321).
Details
- CWE(s)