{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/axios--0.31.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-42035"}],"_cs_exploited":false,"_cs_products":["axios (\u003e= 1.0.0, \u003c 1.15.1)","axios (\u003c= 0.31.0)"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","header-injection","axios","cve-2026-42035","authentication-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA prototype pollution gadget exists within the Axios HTTP adapter (specifically in \u003ccode\u003elib/adapters/http.js\u003c/code\u003e) that enables attackers to inject arbitrary HTTP headers into outgoing HTTP requests. The vulnerability arises from Axios\u0026rsquo;s reliance on duck-type checking of the data payload. If the \u003ccode\u003eObject.prototype\u003c/code\u003e is polluted with properties like \u003ccode\u003egetHeaders\u003c/code\u003e, \u003ccode\u003eappend\u003c/code\u003e, \u003ccode\u003epipe\u003c/code\u003e, \u003ccode\u003eon\u003c/code\u003e, \u003ccode\u003eonce\u003c/code\u003e, and \u003ccode\u003eSymbol.toStringTag\u003c/code\u003e, Axios incorrectly identifies any plain object payload as a \u003ccode\u003eFormData\u003c/code\u003e instance. Consequently, Axios invokes the attacker-controlled \u003ccode\u003egetHeaders()\u003c/code\u003e function, merging the resulting headers into the outgoing request. The vulnerability affects Axios versions greater than or equal to 1.0.0 and less than 1.15.1, as well as versions 0.31.0 and earlier. Exploitation requires a prototype pollution primitive existing somewhere in the application\u0026rsquo;s dependency chain. Successful exploitation can lead to authentication bypass, session fixation, privilege escalation, and IP spoofing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a prototype pollution vulnerability within a dependency used by the target application (e.g., using \u003ccode\u003elodash.merge\u003c/code\u003e, \u003ccode\u003eqs\u003c/code\u003e, or \u003ccode\u003eJSON5\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code that pollutes the \u003ccode\u003eObject.prototype\u003c/code\u003e with the following properties and corresponding values: \u003ccode\u003eSymbol.toStringTag\u003c/code\u003e set to \u003ccode\u003e'FormData'\u003c/code\u003e, \u003ccode\u003eappend\u003c/code\u003e as an empty function, \u003ccode\u003egetHeaders\u003c/code\u003e as a function returning attacker-controlled headers, \u003ccode\u003epipe\u003c/code\u003e as a function, and \u003ccode\u003eon\u003c/code\u003e and \u003ccode\u003eonce\u003c/code\u003e as functions that return \u003ccode\u003ethis\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe target application uses Axios to make an HTTP request (POST, PUT, or PATCH) with a data payload.\u003c/li\u003e\n\u003cli\u003eAxios\u0026rsquo;s \u003ccode\u003elib/adapters/http.js\u003c/code\u003e processes the data payload and performs duck-type checks using \u003ccode\u003eutils.isFormData\u003c/code\u003e and \u003ccode\u003eutils.isFunction(data.getHeaders)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the prototype pollution, the \u003ccode\u003eutils.isFormData\u003c/code\u003e function incorrectly identifies the data payload as a FormData instance.\u003c/li\u003e\n\u003cli\u003eAxios then calls the attacker-controlled \u003ccode\u003egetHeaders()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s \u003ccode\u003egetHeaders()\u003c/code\u003e function returns a set of malicious HTTP headers.\u003c/li\u003e\n\u003cli\u003eAxios merges these malicious headers into the outgoing HTTP request, potentially overwriting or adding sensitive headers. The request is sent to the target server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Attackers can bypass authentication mechanisms by injecting arbitrary \u003ccode\u003eAuthorization\u003c/code\u003e headers or escalate privileges by injecting \u003ccode\u003eX-Role\u003c/code\u003e or \u003ccode\u003eX-User-ID\u003c/code\u003e headers. Session fixation is also possible. IP spoofing and WAF bypass can also occur due to header injection. The potential impact could extend beyond a single service if Axios is used for service-to-service communication, where downstream services trust identity headers forwarded from upstream API gateways.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Axios to a patched version (\u0026gt;= 1.15.1 or \u0026gt; 0.31.0) to remediate CVE-2026-42035.\u003c/li\u003e\n\u003cli\u003eApply the provided patch to \u003ccode\u003elib/adapters/http.js\u003c/code\u003e to include an explicit own-property check on \u003ccode\u003egetHeaders\u003c/code\u003e as a short-term mitigation.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent prototype pollution vulnerabilities in the application\u0026rsquo;s dependencies, focusing on libraries like \u003ccode\u003elodash.merge\u003c/code\u003e, \u003ccode\u003eqs\u003c/code\u003e, and \u003ccode\u003eJSON5\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of deep-merge utilities that process attacker-controlled input to minimize the risk of prototype pollution.\u003c/li\u003e\n\u003cli\u003eIf Axios is used in service-to-service communication, carefully evaluate the trust boundaries and the potential impact of injected headers on downstream services, considering a Scope Change as outlined in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-axios-prototype-pollution/","summary":"A prototype pollution vulnerability in the Axios HTTP adapter allows an attacker to inject arbitrary HTTP headers into outgoing requests by polluting the Object prototype with specific properties, leading to potential authentication bypass and privilege escalation.","title":"Axios HTTP Adapter Prototype Pollution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-axios-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Axios (\u003c= 0.31.0)","version":"https://jsonfeed.org/version/1.1"}