CVE-2026-44495: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-44495 is a Prototype Pollution Gadget vulnerability in the Axios HTTP client library (npm) that enables credential theft and response hijacking across all Axios requests when Object.prototype has been polluted by another vulnerability in the same JavaScript process. It affects Axios versions >=0.19.0 and <0.31.1, and >=1.0.0 and <1.15.2, including v1.15.0 which was previously patched for a related issue. The vulnerability was discovered on April 15, 2026, and publicly disclosed on May 29, 2026, via a GitHub Security Advisory. It carries a CVSS v3.1 base score of 7.0 (High) (GitHub Advisory, Axios Advisory).

The root cause is classified under CWE-1321 (Prototype Pollution) and CWE-94 (Code Injection). In affected versions, mergeConfig() in lib/core/mergeConfig.js reads config properties via standard property access (config2[prop]), which traverses the JavaScript prototype chain rather than checking own properties. When Object.prototype.transformResponse has been polluted with a malicious function by a separate vulnerability (e.g., in qs, minimist, lodash, or body-parser), Axios's mergeConfig() picks up the polluted value as if it were a legitimate config entry. The injected function is subsequently executed by transformData() in lib/core/transformData.js with this = config, exposing auth.username, auth.password, the request URL, all headers, and the raw response body. Some later v1 releases partially guarded the merge path but still used inherited properties during validator.assertOptions(), allowing a narrower but still exploitable path. Exploitation requires a pre-existing prototype pollution primitive in the same process — Axios itself does not introduce the initial pollution (GitHub Advisory, Axios Advisory).

Successful exploitation allows an attacker to intercept and exfiltrate credentials (auth.username, auth.password, Authorization headers), raw response data, and request URLs from every Axios request in the affected application — including those made by third-party libraries that depend on Axios. Response data returned to application code can be replaced with attacker-controlled values, causing application logic failures or silent data tampering. Additionally, polluting Object.prototype.transformResponse with a non-function value (e.g., an array) causes a TypeError: validator is not a function crash on every Axios request, resulting in a denial-of-service condition. The scope is process-wide, meaning all Axios consumers within the same Node.js process or browser context are affected (GitHub Advisory, Axios Advisory).

Upgrade Axios to the patched versions: 1.15.2 (for v1.x users) or 0.31.1 (for v0.x users). Fixed versions use own-property checks (hasOwnProperty) in mergeConfig() and null-prototype config objects, preventing inherited Object.prototype values from being treated as Axios config entries. As a defense-in-depth measure, audit and update all dependencies in the application's tree that are known to introduce prototype pollution (e.g., qs, minimist, lodash), since this vulnerability requires a pre-existing pollution primitive to be exploitable. There is no configuration-based workaround that fully mitigates the issue without upgrading Axios (GitHub Advisory, Axios Advisory).

The advisory was published by Axios maintainer jasonsaayman on May 29, 2026, via the official GitHub Security Advisory system. The vulnerability was noted to be in the same class as the previously disclosed GHSA-fvcv-3m26-pcqx (a related prototype pollution gadget in Axios rated Critical), highlighting a recurring pattern of prototype chain traversal issues in Axios's config merge logic. A Nessus detection plugin (ID 318802) was published by Tenable shortly after disclosure, indicating prompt uptake by the security tooling community (Tenable, GitLab Advisory).