CVE-2026-44489
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
A vulnerability in Axios, an HTTP client, allows for the injection of malicious data into the Proxy-Authorization header if the proxy object is polluted. The issue exists in versions from 1.15.2 to before 1.16.0, where the setProxy() function does not check object properties.
Risk Assessment
An attacker can take control of user credentials, leading to unauthorized access to resources. This could result in serious security breaches within the organization.
Recommendation
It is recommended to update Axios to version 1.16.0 or later to eliminate this vulnerability. Additionally, conducting a code audit to identify potential similar issues is advisable.
Original NVD description (English source)
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

