Bug 2487937 (CVE-2026-44495)
| Summary: | CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, ataylor, bbrownin, bdettelb, brasmith, cdrage, cmah, cmyers, cochase, dbosanac, dbruscin, dfreiber, dkeler, dkuc, dmayorov, dnakabaa, doconnor, dranck, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, jreimann, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, mcarlett, mdessi, mhess, mhulan, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, prwatson, psrna, rchan, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, suppawar, tasato, tcunning, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, vle, vwilson, watson-tool-maintainers, yfang, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2488103, 2488104, 2488105, 2488112, 2488118, 2488126, 2488127, 2488128, 2488106, 2488108, 2488114, 2488121, 2488125 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-06-11 17:01:16 UTC
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 9 Via RHSA-2026:34160 https://access.redhat.com/errata/RHSA-2026:34160 |