CVE-2026-42035 - High Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /day59/package.json
Path to vulnerable library: /day59/package.json,/day60/package.json
Dependency Hierarchy:
- browser-sync-2.26.13.tgz (Root Library)
- localtunnel-2.0.0.tgz
- ❌ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Publish Date: 2026-04-24
URL: CVE-2026-42035
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chq-wfr3-2hj9
Release Date: 2026-04-24
Fix Resolution (axios): 1.15.1
Direct dependency fix Resolution (browser-sync): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2026-42035 - High Severity Vulnerability
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /day59/package.json
Path to vulnerable library: /day59/package.json,/day60/package.json
Dependency Hierarchy:
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Publish Date: 2026-04-24
URL: CVE-2026-42035
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-6chq-wfr3-2hj9
Release Date: 2026-04-24
Fix Resolution (axios): 1.15.1
Direct dependency fix Resolution (browser-sync): 3.0.0
Step up your Open Source Security Game with Mend here