Bug 2461607 (CVE-2026-42033)

Summary: CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, bbrownin, bdettelb, brasmith, caswilli, cdrage, chfoley, cmah, cmyers, cochase, dbosanac, dfreiber, dhanak, dkuc, dmayorov, dnakabaa, doconnor, dranck, drosa, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gparvin, ibek, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jraez, jreimann, jrokos, juwatts, jwong, kaycoth, kshier, ktsao, lball, lchilton, lcouzens, lphiri, mdessi, mhulan, mnovotny, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, psrna, rchan, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sausingh, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-24 18:01:50 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.