Bug 2487940 (CVE-2026-44489)

Summary: CVE-2026-44489 axios: Axios: Information disclosure via Prototype Pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, ataylor, bbrownin, bdettelb, brasmith, cdrage, cmah, cmyers, cochase, dbosanac, dbruscin, dfreiber, dkeler, dkuc, dmayorov, dnakabaa, doconnor, dranck, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, jreimann, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, mcarlett, mdessi, mhess, mhulan, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, prwatson, psrna, rchan, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, suppawar, tasato, tcunning, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, vle, vwilson, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, a promise-based HTTP client. A remote attacker could exploit a prototype pollution vulnerability, which occurs when nested objects are created without proper checks, allowing an attacker to inject malicious properties into Object.prototype. This vulnerability specifically affects the setProxy() function, which, when processing proxy credentials, fails to validate if properties like username or password belong to the object itself. Consequently, attacker-controlled credentials can be injected into Proxy-Authorization headers, potentially leading to information disclosure in proxied HTTP requests.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2488107, 2488110, 2488113, 2488117, 2488123, 2488124, 2488109, 2488111, 2488115, 2488116, 2488119, 2488120, 2488122    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-11 17:01:29 UTC
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.