Bug 2487940 (CVE-2026-44489)
| Summary: | CVE-2026-44489 axios: Axios: Information disclosure via Prototype Pollution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, anthomas, ataylor, bbrownin, bdettelb, brasmith, cdrage, cmah, cmyers, cochase, dbosanac, dbruscin, dfreiber, dkeler, dkuc, dmayorov, dnakabaa, doconnor, dranck, drow, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, jreimann, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, mcarlett, mdessi, mhess, mhulan, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, prwatson, psrna, rchan, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, rushinde, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, suppawar, tasato, tcunning, teagle, thason, tmalecek, tsedmik, veshanka, vkumar, vle, vwilson, watson-tool-maintainers, yfang, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Axios, a promise-based HTTP client. A remote attacker could exploit a prototype pollution vulnerability, which occurs when nested objects are created without proper checks, allowing an attacker to inject malicious properties into Object.prototype. This vulnerability specifically affects the setProxy() function, which, when processing proxy credentials, fails to validate if properties like username or password belong to the object itself. Consequently, attacker-controlled credentials can be injected into Proxy-Authorization headers, potentially leading to information disclosure in proxied HTTP requests.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2488107, 2488110, 2488113, 2488117, 2488123, 2488124, 2488109, 2488111, 2488115, 2488116, 2488119, 2488120, 2488122 | ||
| Bug Blocks: | |||
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.