CVE-2026-44494

HIGH 8.7

Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

0th

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

CWE	CWE-441 CWE-1321
Vendor	axios
Product	axios
Published	Jun 11, 2026
Last Updated	Jun 11, 2026

Stay Ahead of the Next One

Get instant alerts for axios axios

Be the first to know when new high vulnerabilities affecting axios axios are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

axios / axios

>= 1.0.0, < 1.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh