CVE-2026-44489
3.7 LOWAxios is a promise based HTTP client for the browser and Node.js
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-113, CWE-1321
Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-44495 — Axios is a promise based HTTP client for the browser and Node.js (7.0 HIGH)
- CVE-2026-44494 — Axios is a promise based HTTP client for the browser and Node.js (8.7 HIGH)
- CVE-2026-44490 — Axios is a promise based HTTP client for the browser and Node.js (4.8 MEDIUM)
- CVE-2026-49214 — guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP (5.3 MEDIUM)
- CVE-2026-46625 — JavaScript Cookie is a JavaScript API for handling cookies, client-side (7.5 HIGH)