Bug 2487937 (CVE-2026-44495) - CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
Summary: CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollutio...
Keywords:
Status: NEW
Alias: CVE-2026-44495
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2488103 2488104 2488105 2488112 2488118 2488126 2488127 2488128 2488106 2488108 2488114 2488121 2488125
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-11 17:01 UTC by OSIDB Bzimport
Modified: 2026-06-23 10:32 UTC (History)
121 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-11 17:01:16 UTC 
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
Note You need to log in before you can comment on or make changes to this bug.