axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full...

CVE-2026-42035

Axios prior to versions 1.15.1 and 0.31.1 contains a prototype pollution gadget in the HTTP adapter (lib/adapters/http.js) that can inject arbitrary HTTP headers into outgoing requests. The issue occurs when Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toString...

CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

PT-2026-35043

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.15.1 Axios versions prior to 0.31.1 Description A prototype pollution gadget exists in the HTTP adapter located in 'lib/adapters/http.js'. This issue occurs due to duck-type checking of the data payload. If...

MAL-2025-180871 Malicious code in teate-thy-sonic-rapul (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d58b404f04d1c5575dd01e2f20735a8356deef6f5d768556314176c39899d905 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-81211 Malicious code in sad_cow_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c48593fcdaea4f73535e963c0e22b8c130e124e9cfd045c4cafe94e074a61e20 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-54514 Malicious code in qori-rawon49-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e4e2332adbd92952eaf3d36db77ebb99879106e2bffcd4aaa283fcc060e14afd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-52348 Malicious code in ocha-pisang66-miaww (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec40580f5aefa07782dab0dbb26f679141abba96d576f5e0ece0a5aa2080468d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...