fix(deps): update axios to address high security advisory#14
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update axios to address high security advisory#14renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR remediates open vulnerability advisories detected by
pnpm audit. CI cannot pass while any advisory remains, so all fixes are bundled here. Each entry below links to the GHSA advisory with details on impact and the chosen fix.This PR contains the following updates:
^0.31.0→^0.32.0axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
CVE-2026-44490 / GHSA-898c-q2cr-xwhg
More information
Details
Summary
axios
1.15.2exposes two read-side prototype-pollution gadgets. WhenObject.prototypeis polluted by an upstream dependency in the same process (e.g. lodash_.merge/ CVE-2018-16487), axios silently picks up the polluted values:lib/utils.jsline 406 buildsmerge()'s accumulator asresult = {}, soresult[targetKey](line 414) walksObject.prototypeand the polluted bucket's own keys are copied into the merged headers and ride out on the wire.lib/core/mergeConfig.jsline 26 builds thehasOwnPropertydescriptor as a plain-object literal.Object.definePropertyreadsdescriptor.get/descriptor.setvia the prototype chain, so a pollutedObject.prototype.getorObject.prototype.setmakes the call throwTypeErrorsynchronously on every axios request.Affected Properties
Object.prototype.commonObject.prototype.delete/.head/.post/.put/.patch/.queryObject.prototype.getTypeError: Getter must be a functionfrommergeConfig.js:26Object.prototype.setTypeError: Setter must be a functionfrommergeConfig.js:26Per-request headers (
axios.request(url, { headers: {...} })) overwrite polluted entries. PollutingObject.prototype.gettriggers the crash before any header is built.Proof of Concept
Impact
Content-Length: 99999): receiver waits for a body that never arrives. Affects requests with a body.Transfer-Encoding: chunkedrides alongside axios's autoContent-Length): receiver rejects with400 Bad Request. Affects requests with a body.If-None-Match: *): receiver returns empty304 Not Modified. Affects GET / HEAD.Object.prototype.get/.set): every axios request fails synchronously withTypeError, notAxiosError, so handlers filtering onerror.isAxiosErrormishandle the failure.Attack Flow
flowchart TD ROOT["Polluted Object.prototype<br/>via upstream gadget (e.g. lodash <= 4.17.10 _.merge / CVE-2018-16487)<br/>axios <= 1.15.2"] ROOT --> CLASS_A["A. Arbitrary HTTP Header Injection<br/>Polluted defaults.headers slot rides along on every outbound axios request"] ROOT --> CLASS_B["B. Crash DoS via Object.prototype.get / .set<br/>Polluted descriptor breaks Object.defineProperty in mergeConfig"] CLASS_A --> PRE_A["Precondition: header not set per-request by the app<br/>Injected via defaults.headers slot<br/>(common, delete, head, post, put, patch, query)"] PRE_A --> PA1["Response Suppression<br/>Trigger: common = {If-None-Match: *}<br/>Affects GET / HEAD"] PA1 --> SA1["DoS<br/>304 Not Modified empty"] PRE_A --> PA2["Server Hang<br/>Trigger: common = {Content-Length: 99999}<br/>Affects requests with body"] PA2 --> SA2["DoS<br/>connection hang"] PRE_A --> PA3["CL+TE Conflict<br/>Trigger: common = {Transfer-Encoding: chunked}<br/>Affects requests with body"] PA3 --> SA3["DoS<br/>400 Bad Request"] CLASS_B --> SB1["DoS<br/>TypeError: Getter / Setter must be a function<br/>Crashes every axios request, not only GET"] %% Styles style ROOT fill:#f87171,stroke:#​991b1b,color:#fff style CLASS_A fill:#fb923c,stroke:#​9a3412,color:#fff style CLASS_B fill:#fb923c,stroke:#​9a3412,color:#fff style PRE_A fill:#e2e8f0,stroke:#​64748b,color:#​1e293b style PA1 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA2 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA3 fill:#fbbf24,stroke:#​92400e,color:#​000 style SA1 fill:#ef4444,stroke:#​991b1b,color:#fff style SA2 fill:#ef4444,stroke:#​991b1b,color:#fff style SA3 fill:#ef4444,stroke:#​991b1b,color:#fff style SB1 fill:#ef4444,stroke:#​991b1b,color:#fffRoot Cause
Finding A.
lib/utils.js:404-429'smerge()createsresult = {}at line 406. The dangerous-keys filter on lines 408-411 blocks the write side, but the read at line 414 (isPlainObject(result[targetKey])) still walks the prototype chain. WhentargetKeymatches a polluted slot,result[targetKey]returns the polluted nested object, and the recursivemerge(result[targetKey], val)on line 415 iterates that object's own keys viaforEachand copies them as own properties into the new accumulator. Those keys flow throughmergeConfig.js:35→Axios.js:148(utils.merge(headers.common, headers[config.method])) →Axios.js:155(AxiosHeaders.concat(...)) → onto the wire viahttp.js:677(headers: headers.toJSON()) →http.js:767(transport.request(options, ...)).Finding B.
lib/core/mergeConfig.js:25correctly makesconfig = Object.create(null), but the descriptor passed on line 26 is a plain-object literal - itsget/setlookups walkObject.prototype. A polluted non-functionObject.prototype.getor.setmakesObject.definePropertythrowTypeError: Getter must be a function(orSetter must be a function) before the call returns. The descriptor is built unconditionally on everymergeConfiginvocation, so every axios request throws - POST, PUT, DELETE, PATCH, HEAD, QUERY, not only GET.Suggested Fix
Use null-prototype objects in place of the plain-object literals at
lib/utils.js:406andlib/core/mergeConfig.js:26-31. The same descriptor pattern recurs atlib/core/AxiosError.js:37,lib/core/AxiosHeaders.js:100,lib/utils.js:447/454/492/498, andlib/adapters/adapters.js:28/32.Resources
lodash.mergeprototype pollution inlodash <= 4.17.10Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
CVE-2026-44496 / GHSA-hfxv-24rg-xrqf
More information
Details
Summary
Axios versions before
0.32.0on the0.xline and before1.16.0on the1.xline build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios readsdocument.cookie.The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read
document.cookie.Impact
Applications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.
This does not expose credentials, modify requests, or affect response integrity. The impact is availability only.
Affected Functionality
Affected code paths:
lib/helpers/cookies.jsread(name)in standard browser environments.lib/helpers/resolveConfig.jsin1.x, when browser XHR/fetch adapters resolve XSRF config.lib/adapters/xhr.jsin0.x, when the XHR adapter reads the configured XSRF cookie.axios/unsafe/helpers/cookies.jsin1.x, if callers pass attacker-controlled names.Unaffected code paths:
xsrfCookieName: 'XSRF-TOKEN'when not attacker-controlled.xsrfCookieName: null.document.cookie.Technical Details
Affected versions interpolate the cookie name into a regex.
Because
nameis not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as(.+)+$can force catastrophic backtracking againstdocument.cookie.The fix avoids dynamic regex construction and parses
document.cookieby splitting on;, trimming leading whitespace, and comparing cookie names with exact string equality.Proof of Concept of Attack
Expected result: timings grow rapidly as the cookie string length increases.
Workarounds
Set
xsrfCookieName: nullif the application does not need axios to read an XSRF cookie.Do not derive
xsrfCookieNamefrom untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.Avoid calling
axios/unsafe/helpers/cookies.jsdirectly with untrusted namesOriginal Source
Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
1. Title
ReDoS via Unsanitized Cookie Name in Dynamic Regular Expression Construction
2. Affected Software and Version
lib/helpers/cookies.js3. Vulnerability Type / CWE
4. CVSS 3.1 Score
Score: 7.5 (High)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H5. Description
The
cookies.read()function inlib/helpers/cookies.jsconstructs a regular expression dynamically using thenameparameter without any sanitization or escaping of special regex characters. At line 33, the code passes the rawnamevalue directly intonew RegExp():An attacker who can control or influence the cookie name parameter (e.g., via XSRF cookie name configuration, prototype pollution of
xsrfCookieName, or any code path where user input reachescookies.read()) can inject a malicious regex pattern that causes catastrophic backtracking, leading to a Denial of Service condition.With a crafted input of approximately 20-30 characters, the regex engine can be forced to consume several seconds to minutes of CPU time, effectively freezing the JavaScript event loop.
6. Root Cause Analysis
File:
lib/helpers/cookies.jsLine: 33
The vulnerability exists because:
nameparameter is concatenated directly into a regex pattern without escaping special regex metacharacters.(?:^|; )prefix combined with an injected pattern like((((.*)*)*)*)*creates nested quantifiers that cause catastrophic backtracking when the regex engine attempts to match againstdocument.cookie.The
cookies.read()function is called fromlib/helpers/resolveConfig.jsat line 61:The
xsrfCookieNamevalue comes from the Axios configuration, which can be influenced by prototype pollution or direct configuration injection.7. Proof of Concept
8. PoC Output
The exponential growth pattern is clearly visible: each additional 2 characters approximately quadruples the execution time.
9. Impact
10. Remediation / Suggested Fix
Escape all regex metacharacters in the
nameparameter before constructing the regular expression.Alternatively, avoid dynamic regex construction entirely and use string-based parsing:
11. References
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
CVE-2026-44486 / GHSA-j5f8-grm9-p9fc
More information
Details
Summary
Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a
Proxy-Authorizationheader. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the staleProxy-Authorizationheader can remain on the redirected request and be sent to the redirect target.This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected.
Impact
An attacker who controls a server that the victim application requests can redirect the request so that the attacker-controlled redirect target receives the victim’s proxy credentials.
The most relevant case is a Node.js application using an authenticated
HTTP_PROXYfor an initialhttp://request, with redirects enabled, where the redirect target resolves to no proxy, such as anhttps://URL whenHTTPS_PROXYis unset.This does not affect browser, XHR, or fetch adapter behaviour. It also does not affect requests with
maxRedirects: 0.Affected Functionality
Affected functionality is limited to the Node.js HTTP adapter in
lib/adapters/http.js.Relevant inputs and settings include:
HTTP_PROXY,HTTPS_PROXY, andNO_PROXY.http://user:pass@proxy.example:8080.follow-redirects.setProxy().beforeRedirects.proxy.Technical Details
In affected v1 releases,
setProxy()addsProxy-Authorizationwhen a proxy with credentials is selected, but redirect handling callssetProxy()again without first clearing any existing proxy authorization header.If the redirected URL resolves to no proxy,
setProxy()does not add a new proxy configuration and also does not remove the old header. The redirected request can therefore carry the staleProxy-Authorizationheader to the final origin.The v1 fix in
afca61aadds anisRedirectpath that deletes any case variant ofProxy-Authorizationbefore proxy settings are re-applied on redirect. The v0 backport in2af6116fixed the 0.x line for0.32.0.Proof of Concept of Attack
Attacker-controlled HTTP endpoint:
Expected result on affected versions:
Expected result on fixed versions:
Workarounds
Set
maxRedirects: 0and handle redirects manually.Avoid using authenticated proxy environment variables for requests to untrusted HTTP origins unless redirect behaviour is controlled.
Ensure proxy environment variables are configured consistently across protocols so redirects do not unexpectedly change from proxied to direct connections.
Original Source
Summary
Axios' Node.js HTTP adapter can leak proxy credentials to a redirect target origin. When an initial request is sent through an authenticated HTTP proxy, Axios adds a
Proxy-Authorizationheader. On redirect, Axios re-evaluates proxy settings, but if the redirected request no longer uses a proxy, the staleProxy-Authorizationheader is not cleared. As a result, the redirect target can receive the proxy credential directly.This issue affects the Node.js HTTP adapter and can be reproduced when the initial request uses
HTTP_PROXYwith authentication, redirects are enabled, and the redirected request is resolved to no proxy, such as whenHTTPS_PROXYis unset or the redirect target is excluded byNO_PROXY.Details
In the current implementation:
setProxy()addsProxy-Authorizationwhen a proxy with credentials is in use.setProxy()for the redirected request.setProxy()does not clear the previously addedProxy-Authorizationheader.Relevant code locations:
lib/adapters/http.jssetProxy()addsProxy-AuthorizationbeforeRedirects.proxyPoC
GET http://<attacker-site>/startcorp proxy302 Location: https://<attacker-site>/finalProxy-AuthorizationheaderObserved output:
This demonstrates that the proxy credential is exposed to the redirect target origin.
Impact
Exposes authenticated proxy credentials to an attacker-controlled origin.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
CVE-2026-44487 / GHSA-p92q-9vqr-4j8v
More information
Details
Summary
Axios’s Node.js HTTP adapter may forward a
Proxy-Authorizationheader to a redirected origin during specific proxy-to-direct redirect flows.This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy.
Impact
A malicious or attacker-controlled origin can cause an axios client to disclose its configured proxy credentials if all required conditions are present.
The leak is limited to Node.js HTTP adapter requests. Browser, XHR, fetch, and React Native adapter paths are not affected by this Node-specific proxy handling path.
The practical impact depends on the leaked credentials. If the credential is reusable and the proxy is reachable by the attacker, the attacker may be able to authenticate to that proxy, subject to the proxy’s own network exposure, authorisation policy, and credential scope.
Affected Functionality
Affected functionality requires all of the following:
http://request using an authenticated proxy fromconfig.proxyor proxy environment variables.HTTPS_PROXYor a matchingNO_PROXY.Unaffected functionality includes browser adapters, requests with
maxRedirects: 0, requests without proxy credentials, and redirect flows where the redirect layer stripsProxy-Authorizationbefore axios reconfigures the redirected request.Technical Details
In affected versions,
lib/adapters/http.jsaddsProxy-AuthorizationinsetProxy()when a proxy with credentials is used.Axios also installs redirect proxy handling so redirected requests can re-run proxy resolution. Before the fix, when the redirected request no longer resolved to a proxy,
setProxy()did not clear aProxy-Authorizationheader inherited from the previous request options. Iffollow-redirectsdid not remove that header for the specific redirect shape, the redirected direct request carried the stale proxy credential to the origin.The
1.xfix in commitafca61achangessetProxy(options, configProxy, location, isRedirect)so redirect re-invocation removes every case variant ofProxy-Authorizationbefore applying proxy settings for the next hop. Regression tests intests/unit/adapters/http.test.jscover no-proxy redirects,NO_PROXY, different proxy targets, casing variants, and an end-to-end redirect flow.The
0.xfixed release0.32.0includes a backport-styleremoveProxyAuthorization()guard inlib/adapters/http.js.Proof of Concept of Attack
Safe local outline using dummy credentials:
Expected vulnerable behaviour:
Expected fixed behaviour:
Workarounds
Set
maxRedirects: 0and handle redirects manually, ensuringProxy-Authorizationis not copied to requests that are not sent through the proxy.Avoid using reusable authenticated HTTP proxy credentials for requests to untrusted origins. If exposure is suspected, rotate the proxy credential.
Original Source
Summary
Axios’s Node.js
httpadapter can incorrectly forward a retainedProxy-Authorizationheader to the final HTTPS origin during certain HTTP-to-HTTPS redirect flows.When an initial HTTP request is sent through an authenticated
HTTP_PROXY, and the redirected HTTPS request is sent directly because no proxy applies to the redirected HTTPS URL, Axios retains the staleProxy-Authorizationheader and forwards it to the final origin.Details
The issue occurs during a proxy-to-direct transition across redirects.
When Axios sends an initial HTTP request through an authenticated
HTTP_PROXY, it correctly includesProxy-Authorizationfor the proxy hop. If that response redirects to an HTTPS URL on the same hostname, and no proxy applies to the redirected HTTPS URL, the redirected request is sent directly to the final origin instead of through the proxy.In the affected flow, the final HTTPS origin receives a
Proxy-Authorizationheader value that was intended only for the outbound proxy.Whether the issue is observable depends on how the redirect layer compares the host and port across the redirect. In the affected redirect shape, confidential-header handling does not remove the retained
Proxy-Authorizationheader before the redirected request is sent.Root Cause Analysis
Based on code review, Axios appears to create the stale header condition in its Node.js
httpadapter.In lib/adapters/http.js:
Proxy-Authorizationin setProxy().As a result, Axios correctly adds proxy credentials for the first proxied request, but does not clear them when a later redirected request becomes direct.
A dependent factor is the behavior of the redirect layer. In the affected redirect shape, confidential-header handling does not remove the retained
Proxy-Authorizationheader before the redirected request is sent. This appears to be why the issue is observable only for certain redirect shapes.Client Conditions
HTTP_PROXYHTTPS_PROXYis configured)Under that redirect shape, the retained
Proxy-Authorizationheader is not removed before the redirected request is sent to the final HTTPS origin.Reproduction Outline
Detailed reproduction instructions were shared with the maintainers during coordinated disclosure. The public outline below preserves the validated configuration and observable behavior needed to assess exposure, while omitting environment-specific test-harness details.
The issue was reproduced only in a researcher-controlled local test environment using dummy proxy credentials.
The issue was confirmed under the following conditions:
Observed behavior
Proxy-Authorization.Proxy-Authorizationheader.Proxy-Authorizationheader value that was intended only for the proxy.Expected behavior
Axios should not send the
Proxy-Authorizationheader on a redirected request that is no longer sent through a proxy.Impact
Under the affected redirect and proxy configuration, the final HTTPS origin may receive a retained
Proxy-Authorizationheader value that was intended only for the outbound proxy.If that credential is valid and reusable, and the outbound proxy is reachable by the attacker, the attacker may be able to authenticate to that proxy with the affected environment’s proxy credential, subject to the credential’s scope and the proxy’s access controls.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
CVE-2026-44492 / GHSA-pjwm-pj3p-43mv
More information
Details
Summary
shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as
127.0.0.1or169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1,::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.Details
lib/helpers/shouldBypassProxy.js (v1.15.0):
The WHATWG URL parser canonicalises
http://[::ffff:127.0.0.1]/to hostname[::ffff:7f00:1]. After bracket-stripping:::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.PoC
Node.js routes ::ffff:7f00:1 to 127.0.0.1:
Cloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it.
Fix
Canonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison:
Impact
Any application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
CVE-2026-44490 / GHSA-898c-q2cr-xwhg
More information
Details
Summary
axios
1.15.2exposes two read-side prototype-pollution gadgets. WhenObject.prototypeis polluted by an upstream dependency in the same process (e.g. lodash_.merge/ CVE-2018-16487), axios silently picks up the polluted values:lib/utils.jsline 406 buildsmerge()'s accumulator asresult = {}, soresult[targetKey](line 414) walksObject.prototypeand the polluted bucket's own keys are copied into the merged headers and ride out on the wire.lib/core/mergeConfig.jsline 26 builds thehasOwnPropertydescriptor as a plain-object literal.Object.definePropertyreadsdescriptor.get/descriptor.setvia the prototype chain, so a pollutedObject.prototype.getorObject.prototype.setmakes the call throwTypeErrorsynchronously on every axios request.Affected Properties
Object.prototype.commonObject.prototype.delete/.head/.post/.put/.patch/.queryObject.prototype.getTypeError: Getter must be a functionfrommergeConfig.js:26Object.prototype.setTypeError: Setter must be a functionfrommergeConfig.js:26Per-request headers (
axios.request(url, { headers: {...} })) overwrite polluted entries. PollutingObject.prototype.gettriggers the crash before any header is built.Proof of Concept
Impact
Content-Length: 99999): receiver waits for a body that never arrives. Affects requests with a body.Transfer-Encoding: chunkedrides alongside axios's autoContent-Length): receiver rejects with400 Bad Request. Affects requests with a body.If-None-Match: *): receiver returns empty304 Not Modified. Affects GET / HEAD.Object.prototype.get/.set): every axios request fails synchronously withTypeError, notAxiosError, so handlers filtering onerror.isAxiosErrormishandle the failure.Attack Flow
flowchart TD ROOT["Polluted Object.prototype<br/>via upstream gadget (e.g. lodash <= 4.17.10 _.merge / CVE-2018-16487)<br/>axios <= 1.15.2"] ROOT --> CLASS_A["A. Arbitrary HTTP Header Injection<br/>Polluted defaults.headers slot rides along on every outbound axios request"] ROOT --> CLASS_B["B. Crash DoS via Object.prototype.get / .set<br/>Polluted descriptor breaks Object.defineProperty in mergeConfig"] CLASS_A --> PRE_A["Precondition: header not set per-request by the app<br/>Injected via defaults.headers slot<br/>(common, delete, head, post, put, patch, query)"] PRE_A --> PA1["Response Suppression<br/>Trigger: common = {If-None-Match: *}<br/>Affects GET / HEAD"] PA1 --> SA1["DoS<br/>304 Not Modified empty"] PRE_A --> PA2["Server Hang<br/>Trigger: common = {Content-Length: 99999}<br/>Affects requests with body"] PA2 --> SA2["DoS<br/>connection hang"] PRE_A --> PA3["CL+TE Conflict<br/>Trigger: common = {Transfer-Encoding: chunked}<br/>Affects requests with body"] PA3 --> SA3["DoS<br/>400 Bad Request"] CLASS_B --> SB1["DoS<br/>TypeError: Getter / Setter must be a function<br/>Crashes every axios request, not only GET"] %% Styles style ROOT fill:#f87171,stroke:#​991b1b,color:#fff style CLASS_A fill:#fb923c,stroke:#​9a3412,color:#fff style CLASS_B fill:#fb923c,stroke:#​9a3412,color:#fff style PRE_A fill:#e2e8f0,stroke:#​64748b,color:#​1e293b style PA1 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA2 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA3 fill:#fbbf24,stroke:#​92400e,color:#​000 style SA1 fill:#ef4444,stroke:#​991b1b,color:#fff style SA2 fill:#ef4444,stroke:#​991b1b,color:#fff style SA3 fill:#ef4444,stroke:#​991b1b,color:#fff style SB1 fill:#ef4444,stroke:#​991b1b,color:#fffRoot Cause
Finding A.
lib/utils.js:404-429'smerge()createsresult = {}at line 406. The dangerous-keys filter on lines 408-411 blocks the write side, but the read at line 414 (isPlainObject(result[targetKey])) still walks the prototype chain. WhentargetKeymatches a polluted slot,result[targetKey]returns the polluted nested object, and the recursivemerge(result[targetKey], val)on line 415 iterates that object's own keys viaforEachand copies them as own properties into the new accumulator. Those keys flow throughmergeConfig.js:35→Axios.js:148(utils.merge(headers.common, headers[config.method])) →Axios.js:155(AxiosHeaders.concat(...)) → onto the wire viahttp.js:677(headers: headers.toJSON()) →http.js:767(transport.request(options, ...)).Finding B.
lib/core/mergeConfig.js:25correctly makesconfig = Object.create(null), but the descriptor passed on line 26 is a plain-object literal - itsget/setlookups walkObject.prototype. A polluted non-functionObject.prototype.getor.setmakesObject.definePropertythrowTypeError: Getter must be a function(orSetter must be a function) before the call returns. The descriptor is built unconditionally on everymergeConfiginvocation, so every axios request throws - POST, PUT, DELETE, PATCH, HEAD, QUERY, not only GET.Suggested Fix
Use null-prototype objects in place of the plain-object literals at
lib/utils.js:406andlib/core/mergeConfig.js:26-31. The same descriptor pattern recurs atlib/core/AxiosError.js:37,lib/core/AxiosHeaders.js:100,lib/utils.js:447/454/492/498, andlib/adapters/adapters.js:28/32.Resources
lodash.mergeprototype pollution inlodash <= 4.17.10Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
CVE-2026-44496 / GHSA-hfxv-24rg-xrqf
More information
Details
Summary
Axios versions before
0.32.0on the0.xline and before1.16.0on the1.xline build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios readsdocument.cookie.The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read
document.cookie.Impact
Applications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.
This does not expose credentials, modify requests, or affect response integrity. The impact is availability only.
Affected Functionality
Affected code paths:
lib/helpers/cookies.jsread(name)in standard browser environments.lib/helpers/resolveConfig.jsin1.x, when browser XHR/fetch adapters resolve XSRF config.lib/adapters/xhr.jsin0.x, when the XHR adapter reads the configured XSRF cookie.axios/unsafe/helpers/cookies.jsin1.x, if callers pass attacker-controlled names.Unaffected code paths:
xsrfCookieName: 'XSRF-TOKEN'when not attacker-controlled.xsrfCookieName: null.document.cookie.Technical Details
Affected versions interpolate the cookie name into a regex.
Because
nameis not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as(.+)+$can force catastrophic backtracking againstdocument.cookie.The fix avoids dynamic regex construction and parses
document.cookieby splitting on;, trimming leading whitespace, and comparing cookie names with exact string equality.Proof of Concept of Attack
Expected result: timings grow rapidly as the cookie string length increases.
Workarounds
Set
xsrfCookieName: nullif the application does not need axios to read an XSRF cookie.Do not derive
xsrfCookieNamefrom untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.Avoid calling `axios/uns