CVE-2026-42044

MEDIUM 6.5

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

CWE	CWE-915 CWE-1321
Vendor	axios
Product	axios
Published	Apr 24, 2026
Last Updated	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for axios axios

Be the first to know when new medium vulnerabilities affecting axios axios are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Affected Versions

axios / axios

>= 1.0.0, < 1.15.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23