CVE-2026-42033 HIGH

CVE-2026-42033: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Vendor Axios
Product axios
Weakness CWE-1321
Published April 24, 2026
Last update June 30, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
June 30, 2026 Record updated