Source: node-axios
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for node-axios.
All fixed in 1.15.1
CVE-2026-42033[0]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted
| by any co-dependency with keys that axios reads without a
| hasOwnProperty guard, an attacker can (a) silently intercept and
| modify every JSON response before the application sees it, or (b)
| fully hijack the underlying HTTP transport, gaining access to
| request credentials, headers, and body. The precondition is
| prototype pollution from a separate source in the same process. This
| vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42034[1]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength
| is bypassed when maxRedirects is set to 0 (native http/https
| transport path). Oversized streamed uploads are sent fully even when
| the caller sets strict body limits. This vulnerability is fixed in
| 1.15.1 and 0.31.1.
CVE-2026-42035[2]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in
| the Axios HTTP adapter (lib/adapters/http.js) that allows an
| attacker to inject arbitrary HTTP headers into outgoing requests.
| The vulnerability exploits duck-type checking of the data payload,
| where if Object.prototype is polluted with getHeaders, append, pipe,
| on, once, and Symbol.toStringTag, Axios misidentifies any plain
| object payload as a FormData instance and calls the attacker-
| controlled getHeaders() function, merging the returned headers into
| the outgoing request. The vulnerable code resides exclusively in
| lib/adapters/http.js. The prototype pollution source does not need
| to originate from Axios itself — any prototype pollution primitive
| in any dependency in the application's dependency tree is sufficient
| to trigger this gadget. This vulnerability is fixed in 1.15.1 and
| 0.31.1.
CVE-2026-42036[3]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used,
| Axios returns the response stream without enforcing
| maxContentLength. This bypasses configured response-size limits and
| allows unbounded downstream consumption. This vulnerability is fixed
| in 1.15.1 and 0.31.1.
CVE-2026-42037[4]:
| Axios is a promise based HTTP client for the browser and Node.js.
| From 1.0.0 to before 1.15.1, the FormDataPart constructor in
| lib/helpers/formDataToStream.js interpolates value.type directly
| into the Content-Type header of each multipart part without
| sanitizing CRLF (\r\n) sequences. An attacker who controls the .type
| property of a Blob/File-like object (e.g., via a user-uploaded file
| in a Node.js proxy service) can inject arbitrary MIME part headers
| into the multipart form-data body. This bypasses Node.js v18+ built-
| in header protections because the injection targets the multipart
| body structure, not HTTP request headers. This vulnerability is
| fixed in 1.15.1.
CVE-2026-42038[5]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname
| normalization bypass is incomplete. When no_proxy=localhost is set,
| requests to 127.0.0.1 and [::1] still route through the proxy
| instead of bypassing it. The shouldBypassProxy() function does pure
| string matching — it does not resolve IP aliases or loopback
| equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42039[6]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested
| objects with no depth limit, so a deeply nested value passed as
| request data crashes the Node.js process with a RangeError. This
| vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42040[7]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, the encode() function in
| lib/helpers/AxiosURLSearchParams.js contains a character mapping
| (charMap) at line 21 that reverses the safe percent-encoding of null
| bytes. After encodeURIComponent('\x00') correctly produces the safe
| sequence %00, the charMap entry '%00': '\x00' converts it back to a
| raw null byte. Primary impact is limited because the standard axios
| request flow is not affected. This vulnerability is fixed in 1.15.1
| and 0.31.1.
CVE-2026-42041[8]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a
| Prototype Pollution "Gadget" attack that allows any Object.prototype
| pollution to silently suppress all HTTP error responses (401, 403,
| 500, etc.), causing them to be treated as successful responses. This
| completely bypasses application-level authentication and error
| handling. The root cause is that validateStatus is the only config
| property using the mergeDirectKeys merge strategy, which uses
| JavaScript's in operator — an operator that inherently traverses the
| prototype chain. When Object.prototype.validateStatus is polluted
| with () => true, all HTTP status codes are accepted as success. This
| vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42042[9]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token
| protection logic uses JavaScript truthy/falsy semantics instead of
| strict boolean comparison for the withXSRFToken config property.
| When this property is set to any truthy non-boolean value (via
| prototype pollution or misconfiguration), the same-origin check
| (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent
| to all request targets including cross-origin servers controlled by
| an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42043[10]:
| Axios is a promise based HTTP client for the browser and Node.js.
| Prior to 1.15.1 and 0.31.1, an attacker who can influence the target
| URL of an Axios request can use any address in the 127.0.0.0/8 range
| (other than 127.0.0.1) to completely bypass the NO_PROXY protection.
| This vulnerability is due to an incomplete for CVE-2025-62718, This
| vulnerability is fixed in 1.15.1 and 0.31.1.
CVE-2026-42044[11]:
| Axios is a promise based HTTP client for the browser and Node.js.
| From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a
| Prototype Pollution "Gadget" attack that allows any Object.prototype
| pollution in the application's dependency tree to be escalated into
| surgical, invisible modification of all JSON API responses —
| including privilege escalation, balance manipulation, and
| authorization bypass. The default transformResponse function at
| lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver),
| where this is the merged config object. Because parseReviver is not
| present in Axios defaults, not validated by assertOptions, and not
| subject to any constraints, a polluted Object.prototype.parseReviver
| function is called for every key-value pair in every JSON response,
| allowing the attacker to selectively modify individual values while
| leaving the rest of the response intact. This vulnerability is fixed
| in 1.15.2.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42033
https://www.cve.org/CVERecord?id=CVE-2026-42033
[1] https://security-tracker.debian.org/tracker/CVE-2026-42034
https://www.cve.org/CVERecord?id=CVE-2026-42034
[2] https://security-tracker.debian.org/tracker/CVE-2026-42035
https://www.cve.org/CVERecord?id=CVE-2026-42035
[3] https://security-tracker.debian.org/tracker/CVE-2026-42036
https://www.cve.org/CVERecord?id=CVE-2026-42036
[4] https://security-tracker.debian.org/tracker/CVE-2026-42037
https://www.cve.org/CVERecord?id=CVE-2026-42037
[5] https://security-tracker.debian.org/tracker/CVE-2026-42038
https://www.cve.org/CVERecord?id=CVE-2026-42038
[6] https://security-tracker.debian.org/tracker/CVE-2026-42039
https://www.cve.org/CVERecord?id=CVE-2026-42039
[7] https://security-tracker.debian.org/tracker/CVE-2026-42040
https://www.cve.org/CVERecord?id=CVE-2026-42040
[8] https://security-tracker.debian.org/tracker/CVE-2026-42041
https://www.cve.org/CVERecord?id=CVE-2026-42041
[9] https://security-tracker.debian.org/tracker/CVE-2026-42042
https://www.cve.org/CVERecord?id=CVE-2026-42042
[10] https://security-tracker.debian.org/tracker/CVE-2026-42043
https://www.cve.org/CVERecord?id=CVE-2026-42043
[11] https://security-tracker.debian.org/tracker/CVE-2026-42044
https://www.cve.org/CVERecord?id=CVE-2026-42044
Please adjust the affected versions in the BTS as needed.
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
