CVE Catalog

CVE-2026-44489

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

A vulnerability in Axios, an HTTP client, allows for the injection of malicious data into the Proxy-Authorization header if the proxy object is polluted. The issue exists in versions from 1.15.2 to before 1.16.0, where the setProxy() function does not check object properties.

Risk Assessment

An attacker can take control of user credentials, leading to unauthorized access to resources. This could result in serious security breaches within the organization.

Recommendation

It is recommended to update Axios to version 1.16.0 or later to eliminate this vulnerability. Additionally, conducting a code audit to identify potential similar issues is advisable.

Original NVD description (English source)

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS