HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44495Published Modified CNA GitHub_M

CVE-2026-44495: Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a prototype-pollution gadget vulnerability in the Axios HTTP client library (versions 0.19.0 through 0.31.0 and 1.0.0 through 1.15.1) for Node.js and browser environments. The vulnerability is reachable over the network but requires high attack complexity because a separate prototype-pollution weakness in the same JavaScript process must already be present before Axios can be exploited as a gadget. Successful exploitation gives an attacker the ability to read credentials and sensitive response data, tamper with response handling, and cause limited service disruption. Patched versions (0.31.1 and 1.15.2) are available, and patched-image rebuilds are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-44495 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including the GitHub Advisory Database) within minutes of publication and matched against all customer images, including custom-built images that bundle Axios as a direct or transitive dependency. Any image layer containing an affected Axios version is flagged regardless of which registry or CI pipeline stage the scan occurs in.

Available
Triage

HarborGuard triage capability assigns this CVE its upstream CVSS v3.1 score of 7.0 (High) and weights it further against each environment's compliance policy, including any rules that treat prototype-pollution chains as elevated risk. Findings are routed automatically to the team inbox configured for the relevant image or workload within each customer organization.

Available
Patch

Patched-image rebuilds at Axios 0.31.1 or 1.15.2 (matching the version line in use) are available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The affected service must be reachable over the network for an attacker to deliver the initial prototype-pollution vector that this gadget depends on.

  • AuthenticationNot required

    No authentication is required; the exploit path does not depend on holding any account or credential against the target service.

  • Victim interactionNot required

    No victim interaction is needed; the attacker does not rely on a user clicking a link or taking any manual action.

  • Attack complexityDetail

    Attack complexity is high because exploitation requires a separate prototype-pollution vulnerability (or equivalent attacker control over Object.prototype) to already be active in the same JavaScript process before Axios processes a request.

Blast Radius

  • An attacker reads credentials, authorization tokens, or sensitive fields embedded in Axios request configs or response bodies.
  • An attacker modifies how Axios processes responses by injecting a malicious transformResponse function via the polluted prototype, altering data before it reaches application logic.
  • An attacker causes limited disruption to the affected service by injecting invalid config values that break request handling or response parsing.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against customer images within minutes of advisory publication, covering every registry and pipeline stage where Axios appears as a direct or transitive dependency. Because no fix versions were published at CVE creation time but upstream patches now exist at 0.31.1 and 1.15.2, patched-image rebuilds targeting the correct version line are available for affected environments. For customers who opt into auto-remediation, HarborGuard will rebuild the image at the patched version, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, HarborGuard recommends applying network-policy isolation to any service that exposes an Axios-backed endpoint externally, auditing all other dependencies in the same process for existing prototype-pollution weaknesses (since this CVE is only exploitable as a gadget chained to one), and using a runtime security policy to block unexpected modifications to Object.prototype where the Node.js environment supports it. HarborGuard re-checks the advisory on every ingest cycle and surfaces any additional patch guidance as it is published upstream.

See how HarborGuard automates this
Affected packages
  • axios / axios
    >= 1.0.0, < 1.15.2 · >= 0.19.0, < 0.31.1
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
References