Axios, Authentication Bypass via Prototype Pollution, CVE(TBD) (High)

By /

Listen to this Post

How the CVE Works

The vulnerability lies in Axios’s config merge logic. `validateStatus` is the only property using the `mergeDirectKeys` merge strategy, which relies on JavaScript’s `in` operator. The `in` operator traverses the prototype chain, meaning a polluted `Object.prototype.validateStatus` function is picked up. An attacker who can pollute `Object.prototype` (via any other library in the stack) sets Object.prototype.validateStatus = () => true. During an HTTP request, Axios merges configs: `’validateStatus’ in config2` returns `true` because the prototype now holds that property. The merged `validateStatus` becomes () => true. In settle.js, `validateStatus(response.status)` always returns true, so every HTTP status (401, 403, 500, etc.) resolves the promise instead of rejecting it. Applications that rely on `catch` blocks for authentication or error handling are silently bypassed. The attacker needs zero direct user input – any prototype pollution gadget in the dependency chain triggers the issue. All Axios versions v0.x through v1.x (including v1.15.0) are affected.

DailyCVE Form

Platform: Axios
Version: All versions
Vulnerability: Prototype pollution gadget
Severity: High (8.2)
Date: 2026-04-16

Prediction: May 15 2026

What Undercode Say:

Check if prototype pollution affects axios
node -e "Object.prototype.validateStatus = () => true; const axios = require('axios'); axios.get('http://httpstat.us/401').then(() => console.log('BYPASSED'), () => console.log('REJECTED'));"

// Simulate pollution in a test environment
const polluted = { };
Object.prototype.validateStatus = () => true;
const config = { url: '/admin' };
console.log('validateStatus' in config); // true (from prototype)

Exploit:

  1. Find any prototype pollution source in the application (e.g., `merge` with user keys, lodash.merge, jQuery extend).
  2. Inject `{“__proto__”: {“validateStatus”: “() => true”}}` as JSON or query parameter.
  3. Once `Object.prototype.validateStatus = () => true` is set, all subsequent Axios calls treat 401/403/500 as success.
  4. Attacker accesses protected endpoints without credentials; authentication checks are entirely bypassed.

Protection from this CVE

  • Patch Axios manually: replace `in` with `hasOwnProperty` in `mergeDirectKeys` (see fix).
  • Freeze `Object.prototype` early in app: Object.freeze(Object.prototype).
  • Use `–disable-proto=delete` Node flag (v20+) to prevent prototype pollution.
  • Validate all recursive merges; avoid using user-controlled keys in __proto__, constructor, prototype.
  • Upgrade to patched version once available (predicted May 2026).

Impact

  • Authentication Bypass – 401 → success, unauthenticated access to admin/private data.
  • Silent Error Swallowing – 500 errors become success, corrupting business logic.
  • Security Control Bypass – Rate limiting (429), WAF blocks (403), CAPTCHA all ignored.
  • Universal Scope – Affects every Axios instance, including third-party libraries using Axios.
  • CVSS 8.2 High – Network attack, low complexity, no privileges, high integrity impact.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top