CVE-2026-44494: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-44494 is a Prototype Pollution Gadget vulnerability in the Axios HTTP library (npm) that enables a full Man-in-the-Middle (MITM) attack by allowing any Object.prototype pollution in the application's dependency tree to be escalated into interception and modification of all HTTP traffic, including authentication credentials. It affects all Axios versions from v0.x through v1.x up to and including v1.15.0, with v1.16.0 being the patched release. The vulnerability was discovered on April 16, 2026, and publicly disclosed via GitHub Security Advisory on May 29, 2026. The GitHub Advisory Database assigns a CVSS v3.1 score of 8.7 (High) using the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, while the advisory text also references a reporter-calculated score of 9.4 (Critical) (GitHub Advisory, Axios Advisory).

The root cause is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes / Prototype Pollution) and CWE-441 (Unintended Proxy or Intermediary / Confused Deputy). The vulnerable code is in lib/adapters/http.js at line 670, where config.proxy is read via standard JavaScript property access, which traverses the prototype chain. Because proxy is not defined in Axios's default configuration (lib/defaults/index.js), the merged config object never has an own proxy property; consequently, mergeConfig never processes it via defaultToConfig2, leaving the prototype chain fully exposed. An attacker who can pollute Object.prototype.proxy via any other vulnerable library in the dependency tree (e.g., qs, minimist, lodash, body-parser) will cause Axios's setProxy() function to route all HTTP requests through the attacker-controlled proxy — with zero additional constraints, unlike the transformResponse gadget which is limited by assertOptions. A verified PoC is publicly available in the advisory (GitHub Advisory, Axios Advisory).

Successful exploitation grants an attacker a full MITM position over all HTTP requests made by the affected application, including those from third-party libraries that use Axios internally. The attacker can intercept and read all Authorization headers, cookies, API keys, session tokens, and request bodies in plaintext, and can arbitrarily tamper with or forge all HTTP responses — with no constraints analogous to the transformResponse gadget. Additionally, the proxy receives full request URLs, enabling internal network reconnaissance by revealing internal hostnames, ports, and API paths. The attack is invisible to developers, as requests complete normally from the application's perspective, and it bypasses the header sanitization fix introduced in v1.15.0 (GHSA-fvcv-3m26-pcqx) (GitHub Advisory).

Upgrade Axios to v1.16.0 or later, which is the patched version addressing this vulnerability. The recommended code-level fix is to use Object.prototype.hasOwnProperty.call(config, 'proxy') before reading config.proxy in lib/adapters/http.js, ensuring prototype chain traversal cannot inject a proxy value. Additional hardening includes applying hasOwnProperty checks to other security-sensitive config properties not present in Axios defaults (socketPath, transport, lookup, beforeRedirect, httpAgent, httpsAgent), or using a null-prototype object for the merged config via Object.create(null) in lib/core/mergeConfig.js. As a dependency-level workaround, audit and remediate all prototype-pollution-vulnerable libraries in the application's dependency tree to eliminate the pollution primitive (GitHub Advisory, Axios Advisory).

Security news outlet SecurityOnline covered the Axios proxy vulnerabilities following the disclosure (SecurityOnline). Loginsoft's weekly threat intelligence roundup highlighted the vulnerability as part of "resurfaced vulnerabilities" and "weaponized workflows" for the relevant week (Loginsoft Medium). The advisory was published by Axios maintainer jasonsaayman and quickly picked up by vulnerability tracking platforms including OSV, Chainguard, Wolfi, and GitLab Advisories, reflecting broad ecosystem awareness. The Skyvern AI project (v1.0.38) was among the first downstream projects to release an update referencing the fix (Skyvern Release).