Bug 2487937 (CVE-2026-44495)

Summary: CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, ataylor, bbrownin, bdettelb, brasmith, cdrage, cmah, cmyers, cochase, dbosanac, dbruscin, dfreiber, dkeler, dkuc, dmayorov, dnakabaa, doconnor, dranck, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, jreimann, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, mcarlett, mdessi, mhess, mhulan, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, prwatson, psrna, rchan, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, suppawar, tasato, tcunning, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, vle, vwilson, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2488103, 2488104, 2488105, 2488112, 2488118, 2488126, 2488127, 2488128, 2488106, 2488108, 2488114, 2488121, 2488125    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-11 17:01:16 UTC
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.

Comment 2 errata-xmlrpc 2026-07-01 11:03:33 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2026:34160 https://access.redhat.com/errata/RHSA-2026:34160