Bug 2467927 (CVE-2026-42264) - CVE-2026-42264 axios: Axios: Prototype pollution allows information disclosure and request manipulation
Summary: CVE-2026-42264 axios: Axios: Prototype pollution allows information disclosur...
Keywords:
Status: NEW
Alias: CVE-2026-42264
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2492891 2492892 2492893 2492896 2492899 2492901 2492902 2492905 2492890 2492894 2492897 2492903 2492904
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 04:02 UTC by OSIDB Bzimport
Modified: 2026-07-02 13:15 UTC (History)
131 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 04:02:44 UTC
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.


Note You need to log in before you can comment on or make changes to this bug.