CVE-2026-42041

MEDIUM 4.8

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

CWE	CWE-287 CWE-1321
Vendor	axios
Product	axios
Published	Apr 24, 2026
Last Updated	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for axios axios

Be the first to know when new medium vulnerabilities affecting axios axios are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

axios / axios

>= 1.0.0, < 1.15.1 < 0.31.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63