Bug 2461624 (CVE-2026-42044) - CVE-2026-42044 axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget
Summary: CVE-2026-42044 axios: Axios: Invisible JSON Response Tampering via Prototype ...
Keywords:
Status: NEW
Alias: CVE-2026-42044
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2468000 2468002 2468003 2468005 2468006 2468007 2468009 2467998 2467999 2468001 2468004 2468008 2468010
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 19:01 UTC by OSIDB Bzimport
Modified: 2026-07-02 00:05 UTC (History)
118 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:34608 0 None None None 2026-07-02 00:05:11 UTC

Description OSIDB Bzimport 2026-04-24 19:01:36 UTC
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

Comment 2 errata-xmlrpc 2026-07-02 00:05:03 UTC
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.4

Via RHSA-2026:34608 https://access.redhat.com/errata/RHSA-2026:34608


Note You need to log in before you can comment on or make changes to this bug.