axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the Object.prototype.validateStatus property. By polluting this property, all HTTP error responses such as 401, 403, or 500 are silently treated as...

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Vulnerability Disclosure: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500,...

EUVD-2026-25606

Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy...

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

GHSA-W9J2-PVGH-6H63 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Vulnerability Disclosure: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500,...

Prototype Pollution

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the mergeDirectKeys function in mergeConfig. An attacker can force a request configuration to inherit attacker-controlled properties by supplying ...

CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

CVE-2026-42041 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

CVE-2026-42041

Affected software: Axios (browser and Node.js). Vulnerability: Prototype Pollution in the mergeDirectKeys path used by validateStatus, allowing pollution of Object.prototype that could cause all HTTP status codes to be treated as success. Root cause: The only config property using the mergeDirect...

Axios 授权问题漏洞

Axios is an open-source HTTP client developed by Axios. Versions prior to Axios 1.15.1 and 0.31.1 have a vulnerability related to authorization. This vulnerability stems from the use of the mergeDirectKeys merging strategy in validateStatus. This strategy uses the in operator to traverse the...