chore(deps): update dependency axios to v1.16.0 [security]#1930
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1930 +/- ##
==========================================
- Coverage 92.93% 92.91% -0.02%
==========================================
Files 167 167
Lines 11714 11714
==========================================
- Hits 10886 10884 -2
- Misses 828 830 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
B4nan
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.15.0→1.16.0axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
CVE-2026-44490 / GHSA-898c-q2cr-xwhg
More information
Details
Summary
axios
1.15.2exposes two read-side prototype-pollution gadgets. WhenObject.prototypeis polluted by an upstream dependency in the same process (e.g. lodash_.merge/ CVE-2018-16487), axios silently picks up the polluted values:lib/utils.jsline 406 buildsmerge()'s accumulator asresult = {}, soresult[targetKey](line 414) walksObject.prototypeand the polluted bucket's own keys are copied into the merged headers and ride out on the wire.lib/core/mergeConfig.jsline 26 builds thehasOwnPropertydescriptor as a plain-object literal.Object.definePropertyreadsdescriptor.get/descriptor.setvia the prototype chain, so a pollutedObject.prototype.getorObject.prototype.setmakes the call throwTypeErrorsynchronously on every axios request.Affected Properties
Object.prototype.commonObject.prototype.delete/.head/.post/.put/.patch/.queryObject.prototype.getTypeError: Getter must be a functionfrommergeConfig.js:26Object.prototype.setTypeError: Setter must be a functionfrommergeConfig.js:26Per-request headers (
axios.request(url, { headers: {...} })) overwrite polluted entries. PollutingObject.prototype.gettriggers the crash before any header is built.Proof of Concept
Impact
Content-Length: 99999): receiver waits for a body that never arrives. Affects requests with a body.Transfer-Encoding: chunkedrides alongside axios's autoContent-Length): receiver rejects with400 Bad Request. Affects requests with a body.If-None-Match: *): receiver returns empty304 Not Modified. Affects GET / HEAD.Object.prototype.get/.set): every axios request fails synchronously withTypeError, notAxiosError, so handlers filtering onerror.isAxiosErrormishandle the failure.Attack Flow
flowchart TD ROOT["Polluted Object.prototype<br/>via upstream gadget (e.g. lodash <= 4.17.10 _.merge / CVE-2018-16487)<br/>axios <= 1.15.2"] ROOT --> CLASS_A["A. Arbitrary HTTP Header Injection<br/>Polluted defaults.headers slot rides along on every outbound axios request"] ROOT --> CLASS_B["B. Crash DoS via Object.prototype.get / .set<br/>Polluted descriptor breaks Object.defineProperty in mergeConfig"] CLASS_A --> PRE_A["Precondition: header not set per-request by the app<br/>Injected via defaults.headers slot<br/>(common, delete, head, post, put, patch, query)"] PRE_A --> PA1["Response Suppression<br/>Trigger: common = {If-None-Match: *}<br/>Affects GET / HEAD"] PA1 --> SA1["DoS<br/>304 Not Modified empty"] PRE_A --> PA2["Server Hang<br/>Trigger: common = {Content-Length: 99999}<br/>Affects requests with body"] PA2 --> SA2["DoS<br/>connection hang"] PRE_A --> PA3["CL+TE Conflict<br/>Trigger: common = {Transfer-Encoding: chunked}<br/>Affects requests with body"] PA3 --> SA3["DoS<br/>400 Bad Request"] CLASS_B --> SB1["DoS<br/>TypeError: Getter / Setter must be a function<br/>Crashes every axios request, not only GET"] %% Styles style ROOT fill:#f87171,stroke:#​991b1b,color:#fff style CLASS_A fill:#fb923c,stroke:#​9a3412,color:#fff style CLASS_B fill:#fb923c,stroke:#​9a3412,color:#fff style PRE_A fill:#e2e8f0,stroke:#​64748b,color:#​1e293b style PA1 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA2 fill:#fbbf24,stroke:#​92400e,color:#​000 style PA3 fill:#fbbf24,stroke:#​92400e,color:#​000 style SA1 fill:#ef4444,stroke:#​991b1b,color:#fff style SA2 fill:#ef4444,stroke:#​991b1b,color:#fff style SA3 fill:#ef4444,stroke:#​991b1b,color:#fff style SB1 fill:#ef4444,stroke:#​991b1b,color:#fffRoot Cause
Finding A.
lib/utils.js:404-429'smerge()createsresult = {}at line 406. The dangerous-keys filter on lines 408-411 blocks the write side, but the read at line 414 (isPlainObject(result[targetKey])) still walks the prototype chain. WhentargetKeymatches a polluted slot,result[targetKey]returns the polluted nested object, and the recursivemerge(result[targetKey], val)on line 415 iterates that object's own keys viaforEachand copies them as own properties into the new accumulator. Those keys flow throughmergeConfig.js:35→Axios.js:148(utils.merge(headers.common, headers[config.method])) →Axios.js:155(AxiosHeaders.concat(...)) → onto the wire viahttp.js:677(headers: headers.toJSON()) →http.js:767(transport.request(options, ...)).Finding B.
lib/core/mergeConfig.js:25correctly makesconfig = Object.create(null), but the descriptor passed on line 26 is a plain-object literal - itsget/setlookups walkObject.prototype. A polluted non-functionObject.prototype.getor.setmakesObject.definePropertythrowTypeError: Getter must be a function(orSetter must be a function) before the call returns. The descriptor is built unconditionally on everymergeConfiginvocation, so every axios request throws - POST, PUT, DELETE, PATCH, HEAD, QUERY, not only GET.Suggested Fix
Use null-prototype objects in place of the plain-object literals at
lib/utils.js:406andlib/core/mergeConfig.js:26-31. The same descriptor pattern recurs atlib/core/AxiosError.js:37,lib/core/AxiosHeaders.js:100,lib/utils.js:447/454/492/498, andlib/adapters/adapters.js:28/32.Resources
lodash.mergeprototype pollution inlodash <= 4.17.10Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
CVE-2026-44492 / GHSA-pjwm-pj3p-43mv
More information
Details
Summary
shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as
127.0.0.1or169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1,::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.Details
lib/helpers/shouldBypassProxy.js (v1.15.0):
The WHATWG URL parser canonicalises
http://[::ffff:127.0.0.1]/to hostname[::ffff:7f00:1]. After bracket-stripping:::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.PoC
Node.js routes ::ffff:7f00:1 to 127.0.0.1:
Cloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it.
Fix
Canonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison:
Impact
Any application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in
config.proxyCVE-2026-44494 / GHSA-35jp-ww65-95wh
More information
Details
Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in
config.proxySummary
The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any
Object.prototypepollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials.The HTTP adapter at
lib/adapters/http.js:670readsconfig.proxyvia standard property access, which traverses the prototype chain. Becauseproxyis not present in Axios defaults, the merged config object has no ownproxyproperty, making it trivially injectable via prototype pollution. Once injected,setProxy()routes all HTTP requests through the attacker's proxy server.Unlike the
transformResponsegadget (which is constrained byassertOptionsto returntrue), the proxy gadget has zero constraints — the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.Severity: Critical (CVSS 9.4)
Affected Versions: All versions (v0.x - v1.x including v1.15.0)
Vulnerable Component:
lib/adapters/http.js(config property access on merged object)CWE
CVSS 3.1
Score: 9.4 (Critical)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:LObject.prototype.proxy = {host:'attacker', port:8080}. Consistent with GHSA-fvcv-3m26-pcqx scoring methodologytransformResponsewhich must returntrueWhy This Bypasses mergeConfig
The critical difference from
transformResponse: theproxyproperty is not in defaults (lib/defaults/index.jsdoes not setproxy). This means:mergeConfigiteratesObject.keys({...defaults, ...userConfig})—proxyis NOT in this setdefaultToConfig2forproxyis never calledproxypropertyhttp.js:670readsconfig.proxy, JavaScript traverses the prototype chainObject.prototype.proxyis found → used bysetProxy()This is a more direct attack path than
transformResponsebecause it doesn't even go throughmergeConfig's merge logic — it completely bypasses it.Usage of "Helper" Vulnerabilities
This vulnerability requires Zero Direct User Input.
If an attacker can pollute
Object.prototypevia any other library in the stack (e.g.,qs,minimist,lodash,body-parser), Axios will automatically use the pollutedproxyvalue when making HTTP requests. The developer's code is completely safe — no configuration errors needed.Proof of Concept
1. The Setup (Simulated Pollution)
Imagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:
2. The Gadget Trigger (Safe Code)
The application makes a completely safe, hardcoded request:
3. The Execution
At
http.js:668-670:setProxy()athttp.js:191-239then:4. The Impact (Full MITM)
The attacker's proxy server receives:
The
Authorizationheader containssvc-account:prod-key-abc123!in Base64. The attacker:5. Verified PoC Code
Verified PoC Output
Impact Analysis
Authorizationheader, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.transformResponse's "must return true".Why This Is More Severe Than transformResponse (axios_26)
this.auth+ response datatruetrue(suspicious)Recommended Fix
Fix 1: Use
hasOwnPropertywhen reading security-sensitive config propertiesFix 2: Enumerate all properties not in defaults and apply
hasOwnPropertyProperties not in defaults that are read by http.js and have security impact:
config.proxy— MITMconfig.socketPath— Unix socket SSRFconfig.transport— request hijackconfig.lookup— DNS hijackconfig.beforeRedirect— redirect manipulationconfig.httpAgent/config.httpsAgent— agent injectionAll should use
hasOwnPropertychecks.Fix 3: Use null-prototype object for merged config
Resources
Timeline
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
CVE-2026-44495 / GHSA-3g43-6gmg-66jw
More information
Details
Summary
Axios versions before the fixed releases contain prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted
Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator.Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over
Object.prototypebefore Axios creates a request.Impact
For ordinary prototype-pollution primitives that can only assign JSON-like values, this issue primarily results in request failures or denial-of-service attacks.
If the attacker can pollute
Object.prototype.transformResponsewith a function, affected versions of Axios may execute it. In fully affected versions, the function can observe response data and request config, including URL, headers, andauth, and can change the response data returned to application code.This function-valued condition is important. Most query-string or JSON parser prototype-pollution bugs cannot create JavaScript functions on their own, so credential exposure and response tampering are conditional rather than automatic consequences of such bugs.
Affected Functionality
The affected functionality is Axios request config processing and response transformation.
Affected use requires all of the following:
Object.prototypein the same process or browser context.transformResponse.This is not specific to the Node HTTP adapter. Browser and Node usage can both pass through the shared config/transform pipeline, though real-world exploitability depends on the surrounding application and any helper vulnerabilities.
Technical Details
In affected versions,
mergeConfig()reads config values through normal property access. For config keys present in Axios defaults, includingtransformResponse, a missing own property on the request config can fall through toObject.prototype.In the fully affected path, this means
Object.prototype.transformResponsecan replace Axios's default response transform. The selected transform is later executed bytransformData()with the request config asthis.Some later affected v1 releases guarded the merge path but still used inherited properties while looking up validators in
validator.assertOptions(). In that narrower case, a polluted function can still run during config validation and inspect the config argument, but it does not replace the response transform.Fixed versions use own-property checks and null-prototype config objects, so inherited
Object.prototypevalues are not treated as Axios config or validator schema entries.Proof of Concept of Attack
Expected result on fully affected versions: the polluted transform runs, captures request config and response data, and replaces the response returned to the caller.
Expected result on fixed versions: the polluted transform is ignored, and the original response is returned.
Original source report
Summary
The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any
Object.prototypepollution in the application's dependency tree to be escalated into credential theft and response hijacking across all Axios requests.The
mergeConfig()function reads config properties via standard property access (config2[prop]), which traverses the JavaScript prototype chain. WhenObject.prototype.transformResponseis polluted with a function, it overrides the default JSON response parser for every request. The injected function executes withthis = config, exposingauth.username,auth.password, request URL, and all headers.Severity: High (CVSS 8.2)
Affected Versions: All versions (v0.x - v1.x including v1.15.0)
Vulnerable Component:
lib/core/mergeConfig.js(Config Merge) +lib/core/transformData.js(Transform Execution)CWE
CVSS 3.1
Score: 9.4 (High)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:Hthis.auth.password,this.url, original response data all exfiltratedtrue— attacker cannot return arbitrary data due toassertOptionsconstraint (see below)TypeError: validator is not a functioncrash (DoS) on every requestRelationship to GHSA-fvcv-3m26-pcqx
This vulnerability is in the same class as GHSA-fvcv-3m26-pcqx ("Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"), which was also a PP gadget in axios rated Critical. Both require zero direct user input and exploit
mergeConfig's prototype chain traversal.Usage of "Helper" Vulnerabilities
This vulnerability requires Zero Direct User Input.
If an attacker can pollute
Object.prototypevia any other library in the stack (e.g.,qs,minimist,lodash,body-parser), Axios will automatically pick up the pollutedtransformResponseproperty during its config merge.The critical difference from GHSA-fvcv-3m26-pcqx: this vector was NOT fixed by the header sanitization patch in v1.15.0, because it does not use headers at all — it injects a function into the response processing pipeline.
Proof of Concept
1. The Setup (Simulated Pollution)
Imagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:
Important constraint: The polluted value must be a function returning
true, not an array. If an array is used,assertOptions()atvalidator.js:89-92crashes withTypeError: validator is not a function(which is still a DoS vector). The function must returntruebecausevalidator.js:93checksresult !== true.2. The Gadget Trigger (Safe Code)
The application makes a completely safe, hardcoded request:
3. The Execution
Axios's
mergeConfig()atmergeConfig.js:99-103iterates config keys:The polluted function then executes at
transformData.js:21:4. The Impact
The response data seen by the application is
true(the required return value), which will likely cause the application to malfunction but will not reveal the theft.5. DoS Variant
Verified PoC Output
Impact Analysis
this.auth.username,this.auth.password,this.headers.Authorization, and all other config properties are accessible to the injected function. The attacker can exfiltrate them to an external server.dataparameter) is available to the injected function before being replaced.Limitations (Honest Assessment)
trueto passassertOptionsRecommended Fix
Use
hasOwnPropertychecks indefaultToConfig2to prevent prototype chain traversal:Additionally, validate that
transformResponsecontains only functions before execution:Resources
Timeline
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
axios/axios (axios)
v1.16.0Compare Source
v1.16.0 — May 2, 2026
This release adds support for the QUERY HTTP method and a new
ECONNREFUSEDerror constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:
maxBodyLengthandmaxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)Hostheaders. Previously, the proxy path could overwrite a customHost. Virtual-host-style routing through a proxy will now behave correctly. (#10822)https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)parseProtocolnow strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)unescape()replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacyunescape()quirks may see different output bytes. (#7378)transformRequestinput typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)🚀 New Features
ECONNREFUSEDas a constant onAxiosErrorso callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)encodehelper frombuildURLso userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)🐛 Bug Fixes
requestDetailsargument onbeforeRedirect, preserved user-suppliedHostheaders when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)AxiosErrorwhen a stream is aborted after headers arrive, honoured thetimeoutoption during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression andmaxRedirects: 0. (#10708, #10819, #7149)maxBodyLength/maxContentLengthin the fetch adapter, set theUser-Agentheader to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws aTypeErrorin restricted environments. (#10795, #10772, #10806, #7260)cancelTokenandAbortSignallisteners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)AxiosErrorwhenJSON.parsefails insidedispatchRequest, preventedsettlefrom emittingundefinederror codes, and tightened theparseProtocolregex to require a colon in the protocol separator. (#10724, #7276, #10729)CancelTokentypings with the ESM build, fixed a compiler error caused byRawAxiosHeaders, and re-exportedcreatefrom the package index. (#7414, #6389, #6460)unescape()call with a modern UTF-8 encoding implementation. (#7378)🔧 Maintenance & Chores
utilsmodule and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)FormDataEPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)paramsSerializer.encodefor strict RFC 3986 query encoding, updated theparseReviverTypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)transformRequestinput typing change from #10745 after follow-up review. (#10745, #10810)actions/setup-node, thegithub-actionsgroup, andpostcss(in/docs) to their latest versions. (#10785, #10813, #10814)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.