CVE-2026-44489 | THREATINT

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

PUBLISHED Reserved 2026-05-06 | Published 2026-06-11 | Updated 2026-06-11 | Assigner GitHub_M

LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

1.15.2

affected

References

github.com/.../axios/security/advisories/GHSA-654m-c8p4-x5fp exploit

github.com/.../axios/security/advisories/GHSA-654m-c8p4-x5fp

cve.org (CVE-2026-44489)

nvd.nist.gov (CVE-2026-44489)

Download JSON